suppress some su related denials

The su domain is always permissive. Operations which occur in this domain should never be logged. Addresses the following denials: type=1400 audit(0.0:864): avc: denied { module_load } for comm="insmod" path="/data/lcd.ko.gz" dev="sda21" ino=143150 scontext=u:r:su:s0 tcontext=u:object_r:system_data_file:s0 tclass=system permissive=1 type=1400 audit(0.0:858): avc: denied { module_load } for comm="insmod" path="/vendor/lib/modules/lcd.ko" dev="sda9" ino=880 scontext=u:r:su:s0 tcontext=u:object_r:vendor_file:s0 tclass=system permissive=1 type=1400 audit(0.0:37495): avc: denied { prog_run } for comm="ip6tables" scontext=u:r:su:s0 tcontext=u:r:bpfloader:s0 tclass=bpf permissive=1 type=1400 audit(0.0:31): avc: denied { map_create } for comm="netd_unit_test" scontext=u:r:su:s0 tcontext=u:r:su:s0 tclass=bpf permissive=1 type=1400 audit(0.0:32): avc: denied { map_read map_write } for comm="netd_unit_test" scontext=u:r:su:s0 tcontext=u:r:su:s0 tclass=bpf permissive=1 Test: policy compiles Change-Id: I490c8566577fde64bdd0201bb8f9112ff6ac96d4

suppress some su related denials
The su domain is always permissive. Operations which occur in this domain should never be logged. Addresses the following denials: type=1400 audit(0.0:864): avc: denied { module_load } for comm="insmod" path="/data/lcd.ko.gz" dev="sda21" ino=143150 scontext=u:r:su:s0 tcontext=u:object_r:system_data_file:s0 tclass=system permissive=1 type=1400 audit(0.0:858): avc: denied { module_load } for comm="insmod" path="/vendor/lib/modules/lcd.ko" dev="sda9" ino=880 scontext=u:r:su:s0 tcontext=u:object_r:vendor_file:s0 tclass=system permissive=1 type=1400 audit(0.0:37495): avc: denied { prog_run } for comm="ip6tables" scontext=u:r:su:s0 tcontext=u:r:bpfloader:s0 tclass=bpf permissive=1 type=1400 audit(0.0:31): avc: denied { map_create } for comm="netd_unit_test" scontext=u:r:su:s0 tcontext=u:r:su:s0 tclass=bpf permissive=1 type=1400 audit(0.0:32): avc: denied { map_read map_write } for comm="netd_unit_test" scontext=u:r:su:s0 tcontext=u:r:su:s0 tclass=bpf permissive=1 Test: policy compiles Change-Id: I490c8566577fde64bdd0201bb8f9112ff6ac96d4
690be8e8 · Nick Kralevich · 383471c2 · 690be8e8
Commit 690be8e8 authored 6 years ago by Nick Kralevich
--- a/public/su.te
+++ b/public/su.te
@@ -19,7 +19,7 @@ userdebug_or_eng(`
  dontaudit su self:capability_class_set *;
  dontaudit su kernel:security *;
-  dontaudit su kernel:system *;
+  dontaudit su { kernel file_type }:system *;
  dontaudit su self:memprotect *;
  dontaudit su domain:process *;
  dontaudit su domain:fd *;
@@ -50,6 +50,7 @@ userdebug_or_eng(`
  dontaudit su domain:drmservice *;
  dontaudit su unlabeled:filesystem *;
  dontaudit su postinstall_file:filesystem *;
+  dontaudit su domain:bpf *;
  # VTS tests run in the permissive su domain on debug builds, but the HALs
  # being tested run in enforcing mode. Because hal_foo_server is enforcing