From 9c7396d554f4cd6be69e609e8b1d65c243c5eb90 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Fri, 1 Jun 2018 12:12:11 -0700
Subject: [PATCH] Suppress denials for apps accessing storage too early

The recommended solution is to not access encrypted storage until
after the ACTION_USER_UNLOCKED intent is delivered.

Test: build
Fixes: 72811052
Fixes: 72550646
Change-Id: I80eb743e26047b7864de983c5a46c28b6f753a59
---
 private/bug_map              | 3 ---
 private/priv_app.te          | 6 ++++++
 private/untrusted_app_all.te | 6 ++++++
 3 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/private/bug_map b/private/bug_map
index 6f78f4a45..cb49904ea 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -29,7 +29,6 @@ platform_app nfc_data_file dir 74331887
 postinstall postinstall capability 77958490
 postinstall_dexopt postinstall_dexopt capability 77958490
 postinstall_dexopt user_profile_data_file file 77958490
-priv_app system_data_file dir 72811052
 profman apk_data_file dir 77922323
 radio statsdw_socket sock_file 78456764
 statsd hal_health_default binder 77919007
@@ -38,7 +37,5 @@ system_server crash_dump process 73128755
 system_server logd_socket sock_file 64734187
 system_server sdcardfs file 77856826
 system_server zygote process 77856826
-untrusted_app_25 system_data_file dir 72550646
-untrusted_app_27 system_data_file dir 72550646
 usbd usbd capability 72472544
 zygote untrusted_app_25 process 77925912
diff --git a/private/priv_app.te b/private/priv_app.te
index 3355502ce..37d864f80 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -182,6 +182,12 @@ dontaudit priv_app { wifi_prop exported_wifi_prop }:file read;
 allow priv_app system_server:udp_socket {
         connect getattr read recvfrom sendto write getopt setopt };
 
+# Attempts to write to system_data_file is generally a sign
+# that apps are attempting to access encrypted storage before
+# the ACTION_USER_UNLOCKED intent is delivered. Suppress this
+# denial to prevent apps from spamming the logs.
+dontaudit priv_app system_data_file:dir write;
+
 ###
 ### neverallow rules
 ###
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index b2c4f407c..c9bf65fa6 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -150,3 +150,9 @@ userdebug_or_eng(`
     -proc_net_vpn
   }:{ dir file lnk_file } { getattr open read };
 ')
+
+# Attempts to write to system_data_file is generally a sign
+# that apps are attempting to access encrypted storage before
+# the ACTION_USER_UNLOCKED intent is delivered. Suppress this
+# denial to prevent third party apps from spamming the logs.
+dontaudit untrusted_app_all system_data_file:dir write;
-- 
GitLab