root@hikey:/ # ps | grep xxx
system 2619 1893 1561788 86956 SyS_epoll_ 0000000000 S com.xxx.xxx.xxx
root@hikey:/ # ps -Z | grep xxx
u:r:system_app:s0 system 2619 1893 1561788 86736 SyS_epoll_ 0000000000 S com.xxx.xxx.xxx
root@hikey:/ #
auditallow system_app audioserver:unix_stream_socket { ioctl read getattr write setattr lock append bind connect getopt setopt shutdown connectto };
08-08 10:38:01.939 2622-2622/com.xxx.xxx.xxx W/ksetsdk.xxx: type=1400 audit(0.0:511): avc: denied { connectto } for path=0023xxx scontext=u:r:system_app:s0 tcontext=u:r:audioserver:s0 tclass=unix_stream_socket permissive=0
--
You received this message because you are subscribed to the Google Groups "android-platform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to android-platform+unsubscribe@googlegroups.com.
To post to this group, send email to android-platform@googlegroups.com.
Visit this group at https://groups.google.com/group/android-platform.
For more options, visit https://groups.google.com/d/optout.
To unsubscribe from this group and stop receiving emails from it, send an email to android-platfo...@googlegroups.com.
To post to this group, send email to android-...@googlegroups.com.
There must've been some sync issue in my building aosp and changing SEPolicy rules.
I did more exhaustive testing and found:
(1) When app is signed by platform key, and requests system uid in manifest, it runs as system_app and following rule works:
auditallow system_app audioserver:unix_stream_socket { connectto };
(2) When app is signed by platform key, but doesn't request system uid in manifest, it runs as platform_app but following rule doesn't work:
auditallow platform_app audioserver:unix_stream_socket { connectto };
(3) If App is not signed by platform key, it runs as priv_app, and following rule doesn't work:
auditallow priv_app audioserver:unix_stream_socket { connectto };
I must've mixed up what rule was built into AOSP when I tested it.
It is still a mystery to me why priv_app or platform_app woon't work, but system_app would with similar rule.
Thanks
-Gaurav