From b050dccdd86bed1e9de9be2ebf9222d7032eb221 Mon Sep 17 00:00:00 2001
From: Joel Galenson <jgalenson@google.com>
Date: Wed, 24 Jan 2018 13:56:28 -0800
Subject: [PATCH] Suppress denials from idmap reading installd's files.

We are occasionally seeing the following SELinux denial:

avc: denied { read } for comm="idmap" path="/proc/947/mounts" scontext=u:r:idmap:s0 tcontext=u:r:installd:s0 tclass=file

This commit suppresses that exact denial.

We believe this is occurring when idmap is forked from installd, which is reading its mounts file in another thread.

Bug: 72444813
Test: Boot Walleye and test wifi and camera.
Change-Id: I3440e4b00c7e5a708b562a93b304aa726b6a3ab9
---
 private/bug_map | 1 -
 public/idmap.te | 3 +++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/private/bug_map b/private/bug_map
index 6bc55e5b9..2b970dd64 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -9,4 +9,3 @@ hal_graphics_allocator_default unlabeled dir 70180742
 surfaceflinger unlabeled dir 68864350
 hal_graphics_composer_default unlabeled dir 68864350
 bootanim unlabeled dir 68864350
-idmap installd file 72444813
diff --git a/public/idmap.te b/public/idmap.te
index 1c32f8fd5..3f336a32d 100644
--- a/public/idmap.te
+++ b/public/idmap.te
@@ -6,6 +6,9 @@ type idmap_exec, exec_type, file_type;
 allow idmap installd:fd use;
 allow idmap resourcecache_data_file:file { getattr read write };
 
+# Ignore reading /proc/<pid>/maps after a fork.
+dontaudit idmap installd:file read;
+
 # Open and read from target and overlay apk files passed by argument.
 allow idmap apk_data_file:file r_file_perms;
 allow idmap apk_data_file:dir search;
-- 
GitLab