type=1400 audit(0.0:18): avc: denied { ioctl } for path="socket:[57632]" dev="sockfs" ino=57632 ioctlcmd=8927 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:r:untrusted_app:s0:c512,c768 tclass=tcp_socket permissive=0
像上述avc权限,有ioctlcmd值时,
1、在system/sepolicy/ioctl_defines找到对应定义
如上述ioctlcmd=8927,对应是define(`SIOCGIFHWADDR', `0x00008927')
2、在system/sepolicy/untrusted_app.te(对应scontext)添加
allowxperm untrusted_app self:tcp_socket ioctl SIOCGIFHWADDR;
格式:allowxperm {tcontext} self:{tclass} ioctl SIOCGIFHWADDR;
avc权限说明:
type=1400 audit(0.0:41): avc: denied { read } for name="u:object_r:media_prop:s0" dev="tmpfs" ino=11511 scontext=u:r:mediacodec:s0 tcontext=u:object_r:media_prop:s0 tclass=file permissive=0
1、缺少的权限:{ permission }
2、哪个进程:scontext=u:r:进程:s0
3、哪个对象缺少:tcontext=u:object_r:对象:s0
4、缺少要访问的对象:tclass=被访问对象
type=1400 audit(0.0:9): avc: denied { getattr } for path="/dev/block/mmcblk1p12" dev="tmpfs" ino=2369 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0
像上述avc中的c512,c768,需要在mlstrustedsubject
例如上述avc需修改:
system/sepolicy/untrusted_app.te
--- type untrusted_app, domain;
+++ type untrusted_app, domain, mlstrustedsubject;
+++ allow untrusted_app block_device:blk_file getattr;
type=1400 audit(0.0:41): avc: denied { read } for name="u:object_r:media_prop:s0" dev="tmpfs" ino=11511 scontext=u:r:mediacodec:s0 tcontext=u:object_r:media_prop:s0 tclass=file permissive=0
像上述的,只需添加
/system/sepolicy/mediacodec.te
allow mediacodec media_prop:file { read };