On 12/06/2016 08:52 AM, Stephen Smalley wrote: > On 12/06/2016 02:10 AM, Sameer Joshi wrote: >> Hi All, >> >> We are working on passing the CTS test results for the device that we >> are making. >> >> One of the test case in CTS test suite verifies the delay caused in >> recording certain number of samples and if the delay is higher, it fails. >> >> We see that one of the cause of the delay could be related to following >> selinux denial: >> >> 12-01 19:32:19.400 3626 3626 W Binder_1: type=1400 audit(0.0:426): >> avc: denied { sys_nice } for capability=23 scontext=u:r:shell:s0 >> tcontext=u:r:shell:s0 tclass=capability permissive=0 >> >> We get these denials continuously while running audio related CTS tests. >> >> There is a neverallow rule in app.te that restricts any domain other >> than bluetooth to get the sys_nice capablity. So, we cant give shell >> the ability to use sys_nice. >> >> >> Unfortunately, the denial shown above just mentions Binder_1 and we are >> not sure which Binder thread is triggering this denial and why. Is there >> a way to further get more information about this denial from Binder >> thread ? Any help in fixing this denial would be helpful. > > No pid= or comm= information? What kernel are you using? > > We also often patch our Android kernels to always include system call, > path, and other auxiliary records. You can find patches for doing that > from our old bitbucket.org/seandroid kernel repositories; look on the > seandroid- branches. It is just a matter of setting audit_default = 1 > in kernel/audit.c (or, equivalently, you could just add audit=1 to your > kernel boot parameters) and setting audit_n_rules = 1 in > kernel/auditsc.c (normally this is done by adding a rule from userspace > via auditctl, but Android doesn't include that). Our kernel patch also > typically removed the printk_ratelimit() checks to avoid losing any > records during bootup, but that's a separate issue.
Why is this running as shell, btw? _______________________________________________ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.