exclude su from app auditallow

su is an appdomain, and as such, any auditallow statements applicable to appdomain also apply to su. However, su is never enforced, so generating SELinux denials for such domains is pointless. Exclude su from ion_device auditallow rules. Addresses the following auditallow spam: avc: granted { ioctl } for comm="screencap" path="/dev/ion" dev="tmpfs" ino=10230 ioctlcmd=4906 scontext=u:r:su:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file Test: policy compiles Change-Id: I2e783624b9e53ad365669bd6f2d4db40da475a16

exclude su from app auditallow
e0d5c532 · Nick Kralevich · 4c7044e0 · e0d5c532
Commit e0d5c532 authored Nov 15, 2016 by Nick Kralevich
--- a/public/app.te
+++ b/public/app.te
@@ -239,9 +239,9 @@ allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket }

 allow { appdomain -isolated_app } ion_device:chr_file rw_file_perms;
 # TODO is write really necessary ?
-auditallow appdomain ion_device:chr_file { write append };
+auditallow { appdomain userdebug_or_eng(`-su') } ion_device:chr_file { write append };
 # TODO audit ion ioctl usage by apps
-auditallow appdomain ion_device:chr_file ioctl;
+auditallow { appdomain userdebug_or_eng(`-su') } ion_device:chr_file ioctl;

 allow { appdomain -isolated_app } hal_graphics_allocator:fd use;