On 12/06/2016 08:52 AM, Stephen Smalley wrote:
> On 12/06/2016 02:10 AM, Sameer Joshi wrote:
>> Hi All,
>>
>> We are working on passing the CTS test results for the device that we
>> are making.
>>
>> One of the test case in CTS test suite verifies the delay caused in
>> recording certain number of samples and if the delay is higher, it fails.
>>
>> We see that one of the cause of the delay could be related to following
>> selinux denial:
>>
>> 12-01 19:32:19.400 3626 3626 W Binder_1: type=1400 audit(0.0:426):
>> avc: denied { sys_nice } for capability=23 scontext=u:r:shell:s0
>> tcontext=u:r:shell:s0 tclass=capability permissive=0
>>
>> We get these denials continuously while running audio related CTS tests.
>>
>> There is a neverallow rule in app.te that restricts any domain other
>> than bluetooth to get the sys_nice capablity. So, we cant give shell
>> the ability to use sys_nice.
>>
>>
>> Unfortunately, the denial shown above just mentions Binder_1 and we are
>> not sure which Binder thread is triggering this denial and why. Is there
>> a way to further get more information about this denial from Binder
>> thread ? Any help in fixing this denial would be helpful.
>
> No pid= or comm= information? What kernel are you using?
>
> We also often patch our Android kernels to always include system call,
> path, and other auxiliary records. You can find patches for doing that
> from our old bitbucket.org/seandroid kernel repositories; look on the
> seandroid- branches. It is just a matter of setting audit_default = 1
> in kernel/audit.c (or, equivalently, you could just add audit=1 to your
> kernel boot parameters) and setting audit_n_rules = 1 in
> kernel/auditsc.c (normally this is done by adding a rule from userspace
> via auditctl, but Android doesn't include that). Our kernel patch also
> typically removed the printk_ratelimit() checks to avoid losing any
> records during bootup, but that's a separate issue.
Why is this running as shell, btw?
_______________________________________________
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to
seandroid-list-requ...@tycho.nsa.gov.
