From d65f26f1b05bb03aab7e1065bc684637568e4f92 Mon Sep 17 00:00:00 2001
From: Joel Galenson <jgalenson@google.com>
Date: Wed, 23 May 2018 08:36:40 -0700
Subject: [PATCH] Hide bpfloader sys_admin denials.

Bug: 79524845
Test: Boot device and see no denials.
Change-Id: I9316bfd0e3718818a7613a421aedff7da8c87108
---
 prebuilts/api/28.0/private/bpfloader.te | 2 ++
 private/bpfloader.te                    | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/prebuilts/api/28.0/private/bpfloader.te b/prebuilts/api/28.0/private/bpfloader.te
index e6902316d..4e8ec2b46 100644
--- a/prebuilts/api/28.0/private/bpfloader.te
+++ b/prebuilts/api/28.0/private/bpfloader.te
@@ -26,3 +26,5 @@ neverallow { domain -netd -bpfloader } bpfloader_exec:file { execute execute_no_
 neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
 # only system_server, netd and bpfloader can read/write the bpf maps
 neverallow { domain -system_server -netd -bpfloader} netd:bpf { map_read map_write };
+
+dontaudit bpfloader self:capability sys_admin;
diff --git a/private/bpfloader.te b/private/bpfloader.te
index e6902316d..4e8ec2b46 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -26,3 +26,5 @@ neverallow { domain -netd -bpfloader } bpfloader_exec:file { execute execute_no_
 neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
 # only system_server, netd and bpfloader can read/write the bpf maps
 neverallow { domain -system_server -netd -bpfloader} netd:bpf { map_read map_write };
+
+dontaudit bpfloader self:capability sys_admin;
-- 
GitLab