From 7d4294cb4f49057300b69fe77deca8bd0a0604a0 Mon Sep 17 00:00:00 2001
From: Alan Stokes <alanstokes@google.com>
Date: Wed, 28 Mar 2018 15:07:59 +0100
Subject: [PATCH] Stop O_CREAT logspam in permissive mode.

In permissive mode we get more spurious denials when O_CREAT is used
with an already-existing file. They're harmless so we don't need to
audit them.

Example denials:
denied { add_name } for name="trigger" scontext=u:r:init:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=dir permissive=1
denied { create } for name="trigger" scontext=u:r:init:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=file permissive=1

Bug: 72643420
Bug: 74182216

Test: Device boots, denials gone.
Change-Id: I54b1a0c138ff5167f1d1d12c4b0b9e9afaa5bca0
---
 public/domain.te | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/public/domain.te b/public/domain.te
index 38cd275eb..7835e3a2e 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1335,3 +1335,12 @@ neverallow domain {
 
 dontaudit domain proc_type:dir write;
 dontaudit domain sysfs_type:dir write;
+
+# These are only needed in permissive mode - in enforcing mode the
+# directory write check fails and so these are never attempted.
+userdebug_or_eng(`
+  dontaudit domain proc_type:dir add_name;
+  dontaudit domain sysfs_type:dir add_name;
+  dontaudit domain proc_type:file create;
+  dontaudit domain sysfs_type:file create;
+')
-- 
GitLab