These are from SE for Android master running on a Galaxy Nexus.
Opera actually crashes at startup in both permissive mode and enforcing mode so
I can't tell if the denial has a real impact. :)
Chrome continues to run fine in both permissive mode and enforcing mode so the
denial seems to have no real impact.
>From com.opera.browser:
type=1400 msg=audit(1373450195.545:679): avc: denied { getattr } for
pid=22328 comm="Thread-637" path="/system/fonts/DroidSans.ttf" dev=mmcblk0p10
ino=452 scontext=u:r:untrusted_app:s0:c34,c256
tcontext=u:object_r:system_file:s0 tclass=lnk_file
lrw-r--r-- root root u:object_r:system_file:s0 DroidSans.ttf
-> Roboto-Regular.ttf
Should "allow domain system_file:lnk_file read;" in domain.te be changed to
"allow domain system_file:lnk_file r_file_perms;" instead?
>From com.android.chrome:
type=1400 msg=audit(1373486606.474:1271): avc: denied { search } for
pid=31949 comm="SandboxedProces" name="com.android.chrome" dev=mmcblk0p12
ino=594517 scontext=u:r:isolated_app:s0
tcontext=u:object_r:platform_app_data_file:s0 tclass=dir
type=1400 msg=audit(1373486606.474:1272): avc: denied { getattr } for
pid=31949 comm="SandboxedProces" path="/data/data/com.android.chrome"
dev=mmcblk0p12 ino=594517 scontext=u:r:isolated_app:s0
tcontext=u:object_r:platform_app_data_file:s0 tclass=dir
Seems like the isolated service might be doing a little bit more than it should
.. but the browser seems to still run fine in enforcing mode, so no policy
change may be needed..
