Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 1044702704f79f138432ec352c2a375f8c0d92b7^! / .
commit1044702704f79f138432ec352c2a375f8c0d92b7[log] [tgz]
authorAkilesh Kailash <akailash@google.com>Tue Jul 26 21:26:01 2022 +0000
committerAkilesh Kailash <akailash@google.com>Mon Oct 10 21:58:41 2022 +0000
treeb8b38c8e01b22452634ca51576b03ac7ddc23da7
parent24b66bcf11dcb7ae8a186c251bbe9e9bddb6d644 [diff]
Supress permissive audit messages post OTA reboot

For post-OTA boot, we run a userspace block device daemon to mount /system.
However if we let the daemon run while loading sepolicy, it would spam permissive audits.
Since sepolicy is still not enforced yet, we can supress these
audit messages.

Bug: 240321741
Test: Full OTA on pixel
Signed-off-by: Akilesh Kailash <akailash@google.com>
Change-Id: I0af484f95b6a1deb41498d67de82afd3c6bb29b6

diff --git a/prebuilts/api/33.0/private/kernel.te b/prebuilts/api/33.0/private/kernel.te
index 6775b3b..03ba79f 100644
--- a/prebuilts/api/33.0/private/kernel.te
+++ b/prebuilts/api/33.0/private/kernel.te

@@ -32,6 +32,19 @@
 allow kernel kmsg_device:chr_file write;
 allow kernel gsid:fd use;
 
+dontaudit kernel metadata_file:dir search;
+dontaudit kernel ota_metadata_file:dir rw_dir_perms;
+dontaudit kernel sysfs:dir r_dir_perms;
+dontaudit kernel sysfs:file { open read write };
+dontaudit kernel sysfs:chr_file { open read write };
+dontaudit kernel dm_device:chr_file ioctl;
+dontaudit kernel self:capability { sys_admin setgid mknod };
+
+dontaudit kernel dm_user_device:dir { write add_name };
+dontaudit kernel dm_user_device:chr_file { create setattr };
+dontaudit kernel tmpfs:lnk_file read;
+dontaudit kernel tmpfs:blk_file { open read };
+
 # Some contexts are changed before the device is flipped into enforcing mode
 # during the setup of Apex sepolicy. These denials can be suppressed since
 # the permissions should not be allowed after the device is flipped into

diff --git a/private/kernel.te b/private/kernel.te
index 6775b3b..03ba79f 100644
--- a/private/kernel.te
+++ b/private/kernel.te

@@ -32,6 +32,19 @@
 allow kernel kmsg_device:chr_file write;
 allow kernel gsid:fd use;
 
+dontaudit kernel metadata_file:dir search;
+dontaudit kernel ota_metadata_file:dir rw_dir_perms;
+dontaudit kernel sysfs:dir r_dir_perms;
+dontaudit kernel sysfs:file { open read write };
+dontaudit kernel sysfs:chr_file { open read write };
+dontaudit kernel dm_device:chr_file ioctl;
+dontaudit kernel self:capability { sys_admin setgid mknod };
+
+dontaudit kernel dm_user_device:dir { write add_name };
+dontaudit kernel dm_user_device:chr_file { create setattr };
+dontaudit kernel tmpfs:lnk_file read;
+dontaudit kernel tmpfs:blk_file { open read };
+
 # Some contexts are changed before the device is flipped into enforcing mode
 # during the setup of Apex sepolicy. These denials can be suppressed since
 # the permissions should not be allowed after the device is flipped into