rs.te: Remove dontaudit statements

These dontaudit rules were in place to suppress SELinux denials due to file descriptor leakage. The file descriptor leakage has been fixed, so these rules are no longer necessary. Delete. Fixes: 120983106 Test: cts-tradefed run cts-dev -m CtsRenderscriptTestCases Change-Id: I5cad79c3526583bd2b65bd089fee9c490f6beb5e

rs.te: Remove dontaudit statements
These dontaudit rules were in place to suppress SELinux denials due to file descriptor leakage. The file descriptor leakage has been fixed, so these rules are no longer necessary. Delete. Fixes: 120983106 Test: cts-tradefed run cts-dev -m CtsRenderscriptTestCases Change-Id: I5cad79c3526583bd2b65bd089fee9c490f6beb5e
80eec389 · Nick Kralevich · 2b805595 · 80eec389
Commit 80eec389 authored 6 years ago by Nick Kralevich
--- a/private/rs.te
+++ b/private/rs.te
@@ -28,15 +28,3 @@ allow rs same_process_hal_file:file { r_file_perms execute };

 # File descriptors passed from app to renderscript
 allow rs untrusted_app_all:fd use;
-
-# TODO: Explain why these dontaudits are needed. Most likely
-# these are file descriptors leaking across an exec() boundary
-# due to a missing O_CLOEXEC / SOCK_CLOEXEC
-dontaudit rs untrusted_app_all:unix_stream_socket { read write };
-dontaudit rs untrusted_app_all:fifo_file { read write };
-
-# TODO: Explain why this is necessary. I think this is a zygote
-# created logging socket and system server parceled file descriptor
-# which is not using the O_CLOEXEC flag.
-dontaudit rs zygote:fd use;
-dontaudit rs system_server:fd use;