BTW, if your goal is simply to make /dev/fimg2d accessible to apps, you could likely just assign it u:object_r:gpu_device:s0 in your device/samsung/<board>/sepolicy/file_contexts file. Or you could introduce a new type for this purpose. But I wouldn't open up direct access to all video devices.
On Mon, Dec 29, 2014 at 10:52 AM, Stephen Smalley <[email protected] > wrote: > /dev/mali0 is labeled u:object_r:gpu_device:s0 in the > device/samsung/manta/sepolicy/file_contexts file. Looks like your device > policy does not assign it a specific label and it is defaulting to > u:object_r:device:s0, thereby causing your bootanim denials. > > /dev/fimg2d is labeled u:object_r:video_device:s0 in the > device/samsung/manta/sepolicy/file_contexts file, which seems to match > yours, but video_device is not directly accessible to apps, only to > privileged components like system_server and mediaserver. ueventd.manta.rc > assigns /dev/fimg2d mode 0660 and ownership media media, so it is not even > directly accessible to apps under DAC on manta / Nexus 10. If your device > requires it to be directly accessible, you need to label it with a > different type than video_device under current policy. Also I am wondering > about your zygote denials;why would the zygote be opening that device? > > On Sun, Dec 28, 2014 at 10:44 PM, 조재익 <[email protected]> wrote: > >> On 3.10 kernel with Lollipop 5.0.0.1, several error makes boot problem. >> If I try to add audit2allow results to /device/.../sepolicy, it conflict >> with never allow policy in /external/sepolicy. >> >> Any solutions? errors are as follows. >> >> >> >> 1. bootanim related issue >> >> type=1400 audit(1388844565.050:4): avc: denied { read write } for >> pid=2063 comm="BootAnimation" name="mali0" dev="tmpfs" ino=2728 >> scontext=u:r:bootanim:s0 tcontext=u:object_r:device:s0 tclass=chr_file >> permissive=0 >> >> >> >> 2. fimg2d related issues >> >> [ 224.442445] [5: logd.auditd: 1979] [c5] type=1400 >> audit(1388844767.080:15602): avc: denied { open } for pid=9830 comm="main" >> path="/dev/fimg2d" dev="tmpfs" ino=2930 scontext=u:r:zygote:s0 >> tcontext=u:object_r:video_device:s0 tclass=chr_file permissive=0 >> [ 224.465052] [5: logd.auditd: 1979] [c5] type=1400 >> audit(1388844767.080:15603): avc: denied { open } for pid=9830 comm="main" >> path="/dev/fimg2d" dev="tmpfs" ino=2930 scontext=u:r:zygote:s0 >> tcontext=u:object_r:video_device:s0 tclass=chr_file permissive=0 >> [ 224.487766] [5: logd.auditd: 1979] [c5] type=1400 >> audit(1388844767.080:15604): avc: denied { open } for pid=9830 comm="main" >> path="/dev/fimg2d" dev="tmpfs" ino=2930 scontext=u:r:zygote:s0 >> tcontext=u:object_r:video_device:s0 tclass=chr_file permissive=0 >> [ 224.510375] [5: logd.auditd: 1979] [c5] type=1400 >> audit(1388844767.080:15605): avc: denied { open } for pid=9830 comm="main" >> path="/dev/fimg2d" dev="tmpfs" ino=2930 scontext=u:r:zygote:s0 >> tcontext=u:object_r:video_device:s0 tclass=chr_file permissive=0 >> [ 224.533030] [5: logd.auditd: 1979] [c5] type=1400 >> audit(1388844767.080:15606): avc: denied { open } for pid=9830 comm="main" >> path="/dev/fimg2d" dev="tmpfs" ino=2930 scontext=u:r:zygote:s0 >> tcontext=u:object_r:video_device:s0 tclass=chr_file permissive=0 >> [ 224.555665] [5: logd.auditd: 1979] [c5] type=1400 >> audit(1388844767.080:15607): avc: denied { open } for pid=9830 comm="main" >> path="/dev/fimg2d" dev="tmpfs" ino=2930 scontext=u:r:zygote:s0 >> tcontext=u:object_r:video_device:s0 tclass=chr_file permissive=0 >> [ 224.578323] [5: logd.auditd: 1979] [c5] type=1400 >> audit(1388844767.080:15608): avc: denied { open } for pid=9830 comm="main" >> path="/dev/fimg2d" dev="tmpfs" ino=2930 scontext=u:r:zygote:s0 >> tcontext=u:object_r:video_device:s0 tclass=chr_file permissive=0 >> [ 224.600941] [5: logd.auditd: 1979] [c5] type=1400 >> audit(1388844767.080:15609): avc: denied { open } for pid=9830 comm="main" >> path="/dev/fimg2d" dev="tmpfs" ino=2930 scontext=u:r:zygote:s0 >> tcontext=u:object_r:video_device:s0 tclass=chr_file permissive=0 >> [ 224.623592] [5: logd.auditd: 1979] [c5] type=1400 >> audit(1388844767.080:15610): avc: denied { open } for pid=9830 comm="main" >> path="/dev/fimg2d" dev="tmpfs" ino=2930 scontext=u:r:zygote:s0 >> tcontext=u:object_r:video_device:s0 tclass=chr_file permissive=0 >> [ 224.646251] [5: logd.auditd: 1979] [c5] type=1400 >> audit(1388844767.080:15611): avc: denied { open } for pid=9830 comm="main" >> path="/dev/fimg2d" dev="tmpfs" ino=2930 scontext=u:r:zygote:s0 >> tcontext=u:object_r:video_device:s0 tclass=chr_file permissive=0 >> >> [ 217.459917] [5: logd.auditd: 1979] [c5] type=1400 >> audit(1388844757.580:15392): avc: denied { read write } for pid=9581 >> comm="ndroid.launcher" name="fimg2d" dev="tmpfs" ino=2930 >> scontext=u:r:untrusted_app:s0 tcontext=u:object_r:video_device:s0 >> tclass=chr_file permissive=0 >> [ 217.484161] [5: logd.auditd: 1979] [c5] type=1400 >> audit(1388844757.580:15393): avc: denied { read write } for pid=9581 >> comm="ndroid.launcher" name="fimg2d" dev="tmpfs" ino=2930 >> scontext=u:r:untrusted_app:s0 tcontext=u:object_r:video_device:s0 >> tclass=chr_file permissive=0 >> [ 217.508492] [5: logd.auditd: 1979] [c5] type=1400 >> audit(1388844757.580:15394): avc: denied { read write } for pid=9581 >> comm="ndroid.launcher" name="fimg2d" dev="tmpfs" ino=2930 >> scontext=u:r:untrusted_app:s0 tcontext=u:object_r:video_device:s0 >> tclass=chr_file permissive=0 >> [ 217.532760] [5: logd.auditd: 1979] [c5] type=1400 >> audit(1388844757.580:15395): avc: denied { read write } for pid=9581 >> comm="ndroid.launcher" name="fimg2d" dev="tmpfs" ino=2930 >> scontext=u:r:untrusted_app:s0 tcontext=u:object_r:video_device:s0 >> tclass=chr_file permissive=0 >> [ 217.557085] [5: logd.auditd: 1979] [c5] type=1400 >> audit(1388844757.580:15396): avc: denied { read write } for pid=9581 >> comm="ndroid.launcher" name="fimg2d" dev="tmpfs" ino=2930 >> scontext=u:r:untrusted_app:s0 tcontext=u:object_r:video_device:s0 >> tclass=chr_file permissive=0 >> [ 217.581294] [5: logd.auditd: 1979] [c5] type=1400 >> audit(1388844757.580:15397): avc: denied { read write } for pid=9581 >> comm="ndroid.launcher" name="fimg2d" dev="tmpfs" ino=2930 >> scontext=u:r:untrusted_app:s0 tcontext=u:object_r:video_device:s0 >> tclass=chr_file permissive=0 >> [ 217.605709] [5: logd.auditd: 1979] [c5] type=1400 >> audit(1388844757.580:15398): avc: denied { read write } for pid=9581 >> comm="ndroid.launcher" name="fimg2d" dev="tmpfs" ino=2930 >> scontext=u:r:untrusted_app:s0 tcontext=u:object_r:video_device:s0 >> tclass=chr_file permissive=0 >> [ 217.629945] [5: logd.auditd: 1979] [c5] type=1400 >> audit(1388844757.580:15399): avc: denied { read write } for pid=9581 >> comm="ndroid.launcher" name="fimg2d" dev="tmpfs" ino=2930 >> scontext=u:r:untrusted_app:s0 tcontext=u:object_r:video_device:s0 >> tclass=chr_file permissive=0 >> [ 217.654228] [5: logd.auditd: 1979] [c5] type=1400 >> audit(1388844757.580:15400): avc: denied { read write } for pid=9581 >> comm="ndroid.launcher" name="fimg2d" dev="tmpfs" ino=2930 >> scontext=u:r:untrusted_app:s0 tcontext=u:object_r:video_device:s0 >> tclass=chr_file permissive=0 >> [ 217.678452] [5: logd.auditd: 1979] [c5] type=1400 >> audit(1388844757.580:15401): avc: denied { read write } for pid=9581 >> comm="ndroid.launcher" name="fimg2d" dev="tmpfs" ino=2930 >> scontext=u:r:untrusted_app:s0 tcontext=u:object_r:video_device:s0 >> tclass=chr_file permissive=0 >> [ 217.702768] [5: logd.auditd: 1979] [c5] type=1400 >> audit(1388844757.580:15402): avc: denied { read write } for pid=9581 >> comm="ndroid.launcher" name="fimg2d" dev="tmpfs" ino=2930 >> scontext=u:r:untrusted_app:s0 tcontext=u:object_r:video_device:s0 >> tclass=chr_file permissive=0 >> [ 217.727067] [5: logd.auditd: 1979] [c5] type=1400 >> audit(1388844757.580:15403): avc: denied { read write } for pid=9581 >> comm="ndroid.launcher" name="fimg2d" dev="tmpfs" ino=2930 >> scontext=u:r:untrusted_app:s0 tcontext=u:object_r:video_device:s0 >> tclass=chr_file permissive=0 >> >> >> >> Regards, >> >> >> >> >> *Jaeik ChoSenior Engineer, Ph.D.* >> >> ___________________________________________ >> >> Security Part, S/W Solution Dev. Team >> >> System LSI, *SAMSUNG ELECTRONICS CO.,LTD.* >> >> Office : +82-31-8037-5209 Fax : +82-31-8000-8000 (75209) >> >> Cell : +82-10-4500-1125 >> Personal e-mail : [email protected] >> >> >> >> >> _______________________________________________ >> Seandroid-list mailing list >> [email protected] >> To unsubscribe, send email to [email protected]. >> To get help, send an email containing "help" to >> [email protected]. >> > >
_______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
