From 80eec389e259ed4d5b441abe3645d6b38497f748 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Wed, 16 Jan 2019 10:52:43 -0800
Subject: [PATCH] rs.te: Remove dontaudit statements

These dontaudit rules were in place to suppress SELinux denials due to
file descriptor leakage. The file descriptor leakage has been fixed, so
these rules are no longer necessary. Delete.

Fixes: 120983106
Test: cts-tradefed run cts-dev -m CtsRenderscriptTestCases
Change-Id: I5cad79c3526583bd2b65bd089fee9c490f6beb5e
---
 private/rs.te | 12 ------------
 1 file changed, 12 deletions(-)

diff --git a/private/rs.te b/private/rs.te
index f0c9409b7..5aa2d540e 100644
--- a/private/rs.te
+++ b/private/rs.te
@@ -28,15 +28,3 @@ allow rs same_process_hal_file:file { r_file_perms execute };
 
 # File descriptors passed from app to renderscript
 allow rs untrusted_app_all:fd use;
-
-# TODO: Explain why these dontaudits are needed. Most likely
-# these are file descriptors leaking across an exec() boundary
-# due to a missing O_CLOEXEC / SOCK_CLOEXEC
-dontaudit rs untrusted_app_all:unix_stream_socket { read write };
-dontaudit rs untrusted_app_all:fifo_file { read write };
-
-# TODO: Explain why this is necessary. I think this is a zygote
-# created logging socket and system server parceled file descriptor
-# which is not using the O_CLOEXEC flag.
-dontaudit rs zygote:fd use;
-dontaudit rs system_server:fd use;
-- 
GitLab