Gitiles
Code Review Sign In
LeafOS / LeafOS-Project / android_system_sepolicy / 342362ae3e1afa577a73dc7f154a9de7da96edc4
commit342362ae3e1afa577a73dc7f154a9de7da96edc4[log] [tgz]
authorBenjamin Gordon <bmgordon@google.com>Thu Sep 06 16:19:40 2018 -0600
committerBenjamin Gordon <bmgordon@google.com>Wed Sep 19 15:54:37 2018 -0600
tree42542e8ffd6aefdf3d3e0b5728359840b84cdd93
parent51dc7cb1d411215a7361feebfeaf1f976ce6cf30 [diff]
sepolicy: grant dac_read_search to domains with dac_override

kernel commit 2a4c22426955d4fc04069811997b7390c0fb858e (fs: switch order
of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks) swapped the order of
dac_override and dac_read_search checks.  Domains that have dac_override
will now generate spurious denials for dac_read_search unless they also
have that permission.  Since dac_override is a strict superset of
dac_read_search, grant dac_read_search to all domains that already have
dac_override to get rid of the denials.

Bug: 114280985
Bug: crbug.com/877588
Test: Booted on a device running 4.14.
Change-Id: I5c1c136b775cceeb7f170e139e8d4279e73267a4
21 files changed
tree: 42542e8ffd6aefdf3d3e0b5728359840b84cdd93
  1. build/
  2. prebuilts/
  3. private/
  4. public/
  5. reqd_mask/
  6. tests/
  7. tools/
  8. vendor/
  9. Android.bp
  10. Android.mk
  11. CleanSpec.mk
  12. definitions.mk
  13. MODULE_LICENSE_PUBLIC_DOMAIN
  14. NOTICE
  15. OWNERS
  16. PREUPLOAD.cfg
  17. README
  18. treble_sepolicy_tests_for_release.mk