在AOSP构建中,我收到了关注avc拒绝消息,
01-01 00:01:28.600 1458-1458/? W/iw﹕ type=1400 audit(0.0:5): avc: denied { create } for scontext=u:r:system_app:s0 tcontext=u:r:system_app:s0 tclass=netlink_socket permissive=0
01-01 00:01:28.660 1460-1460/? W/ndc﹕ type=1400 audit(0.0:6): avc: denied { write } for name="netd" dev="tmpfs" ino=1575 scontext=u:r:system_app:s0 tcontext=u:object_r:netd_socket:s0 tclass=sock_file permissive=0
01-01 00:01:28.720 1461-1461/? W/ndc﹕ type=1400 audit(0.0:7): avc: denied { write } for name="netd" dev="tmpfs" ino=1575 scontext=u:r:system_app:s0 tcontext=u:object_r:netd_socket:s0 tclass=sock_file permissive=0
01-01 00:01:28.790 1462-1462/? W/ndc﹕ type=1400 audit(0.0:8): avc: denied { write } for name="netd" dev="tmpfs" ino=1575 scontext=u:r:system_app:s0 tcontext=u:object_r:netd_socket:s0 tclass=sock_file permissive=0
01-01 00:01:28.860 1463-1463/? W/ndc﹕ type=1400 audit(0.0:9): avc: denied { write } for name="netd" dev="tmpfs" ino=1575 scontext=u:r:system_app:s0 tcontext=u:object_r:netd_socket:s0 tclass=sock_file permissive=0
使用audit2allow我得到了以下
allow system_app netd_socket:sock_file write;
allow system_app self:netlink_socket create;
我已将其添加到device/<vendor-path>/sepolicy/system_app.te
还从neverallow
external/sepolicy/app.te政策中的系统应用
neverallow { appdomain -system_app }
self:{
netlink_socket
netlink_firewall_socket
netlink_tcpdiag_socket
netlink_nflog_socket
netlink_xfrm_socket
netlink_audit_socket
netlink_ip6fw_socket
netlink_dnrt_socket
} *;
但仍获得相同的权限否认avc日志。
答案 0 :(得分:1)
从您的更改中看不出任何错误。假设您的sepolicy更改没有构建到内核中 请尝试make kernelclean并重建内核,vim在以下文件中:
out/target/product/xxxx/obj/ETC/sepolicy_intermediates/policy.conf
所有sepolicy应该在policy.conf中,grep你的新添加策略以检查它是否已编译到内核中。