From 92c149d07744ae589d47602c7971371ee7dc7ab0 Mon Sep 17 00:00:00 2001
From: Alan Stokes <alanstokes@google.com>
Date: Mon, 26 Mar 2018 17:06:23 +0100
Subject: [PATCH] Suppress harmless denials for file creation in cgroupfs.

The kernel generates file creation audits when O_CREAT is passed even
if the file already exists - which it always does in the cgroup cases.

We add neverallow rules to prevent mistakenly allowing unnecessary
create access. We also suppress these denials, which just add noise to
the log, for the more common culprits.

Bug: 72643420
Bug: 74182216

Test: Ran build_policies.sh and checked failures were unrelated.
Test: Device still boots, denials gone.
Change-Id: I034b41ca70da1e73b81fe90090e656f4a3b542dc
---
 private/init.te   | 5 +++++
 private/zygote.te | 5 +++++
 public/domain.te  | 7 +++++++
 3 files changed, 17 insertions(+)

diff --git a/private/init.te b/private/init.te
index 546486508..50b1c94c0 100644
--- a/private/init.te
+++ b/private/init.te
@@ -25,3 +25,8 @@ userdebug_or_eng(`
 # Sometimes we have to write to non-existent files to avoid conditional
 # init behavior. See b/35303861 for an example.
 dontaudit init sysfs:dir write;
+
+# Suppress false positives when using O_CREAT
+# to open a file that already exists.
+# There's a neverallow rule for this in domain.te
+dontaudit init cgroup:file create;
diff --git a/private/zygote.te b/private/zygote.te
index 4ea401dce..ab707f155 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -134,3 +134,8 @@ neverallow zygote {
 
 # Do not allow access to Bluetooth-related system properties and files
 neverallow zygote bluetooth_prop:file create_file_perms;
+
+# Suppress false positives when using O_CREAT
+# to open a file that already exists.
+# There's a neverallow rule for this in domain.te
+dontaudit zygote cgroup:file create;
diff --git a/public/domain.te b/public/domain.te
index 7835e3a2e..d6bc6ef8b 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1333,6 +1333,13 @@ neverallow domain {
   sysfs_type
 }:dir { add_name create link remove_name rename reparent rmdir write };
 
+# cgroupfs directories can be created, but not files within them
+# TODO(b/74182216): Remove the installd allow when we're sure it's not used
+neverallow {
+  domain
+  -installd
+} cgroup:file create;
+
 dontaudit domain proc_type:dir write;
 dontaudit domain sysfs_type:dir write;
 
-- 
GitLab