Hi Stephen, I'm wondering what the reasoning is for the sysfs_devices_system_cpu type and policies to only be in grouper (device/asus/grouper/sepolicy) and not global?
sources/android/cpufeatures/cpu-features.c in the Android NDK has a get_cpu_count function that reads from the /sys/devices/system/cpu/present and /sys/devices/system/cpu/possible files. Some related discussion here: https://code.google.com/p/android/issues/detail?id=26490 Thanks, Mike >-----Original Message----- >From: [email protected] [mailto:owner-seandroid- >[email protected]] On Behalf Of Stephen Smalley >Sent: Tuesday, March 26, 2013 4:25 PM >To: Persaud, Ryan K. >Cc: [email protected] >Subject: Re: /sys/devices/system/cpu denials > >On 03/26/2013 04:10 PM, Persaud, Ryan K. wrote: >> Hello, >> >> We ran our testing framework with the seandroid-4.2 branch on a Nexus 7 >> tablet against 126 popular free apps from the Google Play store. A >> denial that occurred for 11 applications can be seen below (1). Based on >> some investigation, it looks like these applications are trying to >> determine the number of CPU cores on a device >> (http://stackoverflow.com/questions/7962155/how-can-you-detect-a-dual- >core-cpu-on-an-android-device-from-code). >> Given that it appears that a not insignificant number of applications >> regularly examine /sys/devices/system/cpu, should a policy be added to >> allow this? As far as I can tell, none of the applications crashed due >> to the denial, but I'm not sure what the performance implications are. >> >> The same denial (2) also occurred 23 times for ActivityManager during >> testing. Our investigation of the ActivityManager sources and >> documentation did not lead to any obvious culprits. Any idea why >> ActivityManager would be also be causing these denials? Is it possible >> that the denials are being misattributed to the ActivityManager? Once >> testing stopped, and the device was idle, the ActivityManager denials >> ceased. >> >> 1)audit(1363573739.308:52): avc: denied { search } for pid=7762 >> comm="t.cartooncamera" name="cpu" dev=sysfs ino=26 >> scontext=u:r:untrusted_app:s0:c44,c256 >> tcontext=u:object_r:sysfs_devices_system_cpu:s0 tclass=dir >> >> 2)audit(1363572507.738:40): avc: denied { search } for pid=495 >> comm="ActivityManager" name="cpu" dev=sysfs ino=26 >> scontext=u:r:system:s0 tcontext=u:object_r:sysfs_devices_system_cpu:s0 >> tclass=dir >> >> Thanks for the information, > >I think these should be resolved by recent changes to the group project. > > > > >-- >This message was distributed to subscribers of the seandroid-list mailing list. >If you no longer wish to subscribe, send mail to [email protected] >with >the words "unsubscribe seandroid-list" without quotes as the message. -- This message was distributed to subscribers of the seandroid-list mailing list. If you no longer wish to subscribe, send mail to [email protected] with the words "unsubscribe seandroid-list" without quotes as the message.
