On 12/06/2016 02:10 AM, Sameer Joshi wrote:
> Hi All,
>
> We are working on passing the CTS test results for the device that we
> are making.
>
> One of the test case in CTS test suite verifies the delay caused in
> recording certain number of samples and if the delay is higher, it fails.
>
> We see that one of the cause of the delay could be related to following
> selinux denial:
>
> 12-01 19:32:19.400 3626 3626 W Binder_1: type=1400 audit(0.0:426):
> avc: denied { sys_nice } for capability=23 scontext=u:r:shell:s0
> tcontext=u:r:shell:s0 tclass=capability permissive=0
>
> We get these denials continuously while running audio related CTS tests.
>
> There is a neverallow rule in app.te that restricts any domain other
> than bluetooth to get the sys_nice capablity. So, we cant give shell
> the ability to use sys_nice.
>
>
> Unfortunately, the denial shown above just mentions Binder_1 and we are
> not sure which Binder thread is triggering this denial and why. Is there
> a way to further get more information about this denial from Binder
> thread ? Any help in fixing this denial would be helpful.
No pid= or comm= information? What kernel are you using?
We also often patch our Android kernels to always include system call,
path, and other auxiliary records. You can find patches for doing that
from our old bitbucket.org/seandroid kernel repositories; look on the
seandroid- branches. It is just a matter of setting audit_default = 1
in kernel/audit.c (or, equivalently, you could just add audit=1 to your
kernel boot parameters) and setting audit_n_rules = 1 in
kernel/auditsc.c (normally this is done by adding a rule from userspace
via auditctl, but Android doesn't include that). Our kernel patch also
typically removed the printk_ratelimit() checks to avoid losing any
records during bootup, but that's a separate issue.
_______________________________________________
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to
seandroid-list-requ...@tycho.nsa.gov.
