From 690be8e80d0ed4a9f34666100e17bb26d64834af Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Mon, 13 Aug 2018 10:56:49 -0700
Subject: [PATCH] suppress some su related denials
The su domain is always permissive. Operations which occur in this
domain should never be logged.
Addresses the following denials:
type=1400 audit(0.0:864): avc: denied { module_load } for comm="insmod" path="/data/lcd.ko.gz" dev="sda21" ino=143150 scontext=u:r:su:s0 tcontext=u:object_r:system_data_file:s0 tclass=system permissive=1
type=1400 audit(0.0:858): avc: denied { module_load } for comm="insmod" path="/vendor/lib/modules/lcd.ko" dev="sda9" ino=880 scontext=u:r:su:s0 tcontext=u:object_r:vendor_file:s0 tclass=system permissive=1
type=1400 audit(0.0:37495): avc: denied { prog_run } for comm="ip6tables" scontext=u:r:su:s0 tcontext=u:r:bpfloader:s0 tclass=bpf permissive=1
type=1400 audit(0.0:31): avc: denied { map_create } for comm="netd_unit_test" scontext=u:r:su:s0 tcontext=u:r:su:s0 tclass=bpf permissive=1
type=1400 audit(0.0:32): avc: denied { map_read map_write } for comm="netd_unit_test" scontext=u:r:su:s0 tcontext=u:r:su:s0 tclass=bpf permissive=1
Test: policy compiles
Change-Id: I490c8566577fde64bdd0201bb8f9112ff6ac96d4
---
public/su.te | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/public/su.te b/public/su.te
index 031294548..c2a4b2bc2 100644
--- a/public/su.te
+++ b/public/su.te
@@ -19,7 +19,7 @@ userdebug_or_eng(`
dontaudit su self:capability_class_set *;
dontaudit su kernel:security *;
- dontaudit su kernel:system *;
+ dontaudit su { kernel file_type }:system *;
dontaudit su self:memprotect *;
dontaudit su domain:process *;
dontaudit su domain:fd *;
@@ -50,6 +50,7 @@ userdebug_or_eng(`
dontaudit su domain:drmservice *;
dontaudit su unlabeled:filesystem *;
dontaudit su postinstall_file:filesystem *;
+ dontaudit su domain:bpf *;
# VTS tests run in the permissive su domain on debug builds, but the HALs
# being tested run in enforcing mode. Because hal_foo_server is enforcing
--
GitLab