Google Git
Sign in
android / platform / external / sepolicy / b4c4424c99dcb5aace69f3bc5593635e045fb519
commitb4c4424c99dcb5aace69f3bc5593635e045fb519[log] [tgz]
authorNick Kralevich <nnk@google.com>Thu Feb 26 16:49:15 2015 -0800
committerNick Kralevich <nnk@google.com>Thu Feb 26 16:55:51 2015 -0800
tree5472bb7feb8690c56615d82b7e42d44225e2c3d4
parentd99ea5a8af11216fb3e2e315c6310d2af4f02afc [diff]
dontaudit clatd self:capability ipc_lock

clatd calls mmap(MAP_LOCKED) with a 1M buffer. MAP_LOCKED first checks
capable(CAP_IPC_LOCK), and then checks to see the requested amount is
under RLIMIT_MEMLOCK. The latter check succeeds. As a result, clatd
does not need CAP_IPC_LOCK, so we suppress any denials we see
from clatd asking for this capability.
See https://android-review.googlesource.com/127940

Suppresses the following denial:
  type=1400 audit(1424916750.163:7): avc: denied { ipc_lock } for pid=3458 comm="clatd" capability=14 scontext=u:r:clatd:s0 tcontext=u:r:clatd:s0 tclass=capability

Change-Id: Ica108f66010dfc6a5431efa0b4e58f6a784672d1
1 file changed
tree: 5472bb7feb8690c56615d82b7e42d44225e2c3d4
  1. tools/
  2. access_vectors
  3. adbd.te
  4. Android.mk
  5. app.te
  6. attributes
  7. binderservicedomain.te
  8. bluetooth.te
  9. bootanim.te
  10. clatd.te
  11. debuggerd.te
  12. device.te
  13. dex2oat.te
  14. dhcp.te
  15. dnsmasq.te
  16. domain.te
  17. drmserver.te
  18. dumpstate.te
  19. file.te
  20. file_contexts
  21. fs_use
  22. fsck.te
  23. genfs_contexts
  24. global_macros
  25. gpsd.te
  26. hci_attach.te
  27. healthd.te
  28. hostapd.te
  29. init.te
  30. initial_sid_contexts
  31. initial_sids
  32. inputflinger.te
  33. install_recovery.te
  34. installd.te
  35. isolated_app.te
  36. kernel.te
  37. keys.conf
  38. keystore.te
  39. lmkd.te
  40. logd.te
  41. mac_permissions.xml
  42. mdnsd.te
  43. mediaserver.te
  44. mls
  45. mls_macros
  46. mtp.te
  47. net.te
  48. netd.te
  49. neverallow_macros
  50. nfc.te
  51. NOTICE
  52. platform_app.te
  53. policy_capabilities
  54. port_contexts
  55. ppp.te
  56. property.te
  57. property_contexts
  58. racoon.te
  59. radio.te
  60. README
  61. recovery.te
  62. rild.te
  63. roles
  64. runas.te
  65. sdcardd.te
  66. seapp_contexts
  67. security_classes
  68. service.te
  69. service_contexts
  70. servicemanager.te
  71. shared_relro.te
  72. shell.te
  73. su.te
  74. surfaceflinger.te
  75. system_app.te
  76. system_server.te
  77. te_macros
  78. tee.te
  79. toolbox.te
  80. ueventd.te
  81. unconfined.te
  82. uncrypt.te
  83. untrusted_app.te
  84. users
  85. vdc.te
  86. vold.te
  87. watchdogd.te
  88. wpa.te
  89. zygote.te