Merge "Suppress harmless denials for file creation in cgroupfs." into pi-dev

fb735122 · TreeHugger Robot · Android (Google) Code Review · 2a053462 · 92c149d0 · fb735122
Commit fb735122 authored 7 years ago by TreeHugger Robot Committed by Android (Google) Code Review 7 years ago
--- a/private/init.te
+++ b/private/init.te
@@ -25,3 +25,8 @@ userdebug_or_eng(`
 # Sometimes we have to write to non-existent files to avoid conditional
 # init behavior. See b/35303861 for an example.
 dontaudit init sysfs:dir write;
+
+# Suppress false positives when using O_CREAT
+# to open a file that already exists.
+# There's a neverallow rule for this in domain.te
+dontaudit init cgroup:file create;
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -134,3 +134,8 @@ neverallow zygote {

 # Do not allow access to Bluetooth-related system properties and files
 neverallow zygote bluetooth_prop:file create_file_perms;
+
+# Suppress false positives when using O_CREAT
+# to open a file that already exists.
+# There's a neverallow rule for this in domain.te
+dontaudit zygote cgroup:file create;
--- a/public/domain.te
+++ b/public/domain.te
@@ -1333,6 +1333,13 @@ neverallow domain {
  sysfs_type
 }:dir { add_name create link remove_name rename reparent rmdir write };

+# cgroupfs directories can be created, but not files within them
+# TODO(b/74182216): Remove the installd allow when we're sure it's not used
+neverallow {
+  domain
+  -installd
+} cgroup:file create;
+
 dontaudit domain proc_type:dir write;
 dontaudit domain sysfs_type:dir write;