diff options
| author | Nick Kralevich <nnk@google.com> | 2017-01-03 08:37:54 -0800 |
|---|---|---|
| committer | Nick Kralevich <nnk@google.com> | 2017-01-03 13:50:13 -0800 |
| commit | d0da1c5c2a236c1c59fac4a664e3e4956de8b7e5 (patch) | |
| tree | 25b712ba94801607df32fc757d6fc59369ae22a0 /libutils/Unicode.cpp | |
| parent | 572ac060d96bc36e39e3de96a9ff1185bd97db10 (diff) | |
Send property_service AVC messages to the kernel audit system
The property service uses an SELinux userspace check to determine if a
process is allowed to set a property. If the security check fails, a
userspace SELinux denial is generated. Currently, these denials are only
sent to dmesg.
Instead of sending these denials to dmesg, send it to the kernel audit
system. This will cause these userspace denials to be treated similarly
to kernel generated denials (eg, logd will pick them up and process
them). This will ensure that denials generated by the property service
will show up in logcat / dmesg / event log.
After this patch, running "setprop asdf asdf" from the unprivileged adb
shell user will result in the following audit message:
type=1107 audit(39582851.013:48): pid=1 uid=0 auid=4294967295
ses=4294967295 subj=u:r:init:s0 msg='avc: denied { set } for
property=asdf pid=5537 uid=2000 gid=2000 scontext=u:r:shell:s0
tcontext=u:object_r:default_prop:s0 tclass=property_service'
Test: manual
Bug: 27878170
Change-Id: I0b8994888653501f2f315eaa63d9e2ba32d851ef
Diffstat (limited to 'libutils/Unicode.cpp')
0 files changed, 0 insertions, 0 deletions