Clean up logspam for cgroup access
These permissions are granted to domain. Remove audit statements
for them in domain deprecated.
avc: granted { search } for pid=905 comm="update_engine" name="/"
dev="cgroup" ino=1 scontext=u:r:update_engine:s0
tcontext=u:object_r:cgroup:s0 tclass=dir duplicate messages suppressed
avc: granted { open } for pid=905 comm="update_engine"
path="/dev/cpuset/foreground/tasks" dev="cgroup" ino=25
scontext=u:r:update_engine:s0 tcontext=u:object_r:cgroup:s0 tclass=file
Test: build and boot Marlin
Change-Id: Ib2a61e5f5476ff761d0e5ecde57ba7a1777a73e9
diff --git a/private/domain_deprecated.te b/private/domain_deprecated.te
index 43f1135..815141a 100644
--- a/private/domain_deprecated.te
+++ b/private/domain_deprecated.te
@@ -253,7 +253,7 @@
-surfaceflinger
-system_server
-zygote
-} cgroup:dir r_dir_perms;
+} cgroup:dir { open getattr read ioctl lock }; # search granted to domain
auditallow {
domain_deprecated
-appdomain
@@ -267,7 +267,21 @@
-surfaceflinger
-system_server
-zygote
-} cgroup:{ file lnk_file } r_file_perms;
+} cgroup:file { getattr read ioctl }; # open and lock granted to domain
+auditallow {
+ domain_deprecated
+ -appdomain
+ -dumpstate
+ -fingerprintd
+ -healthd
+ -inputflinger
+ -installd
+ -keystore
+ -netd
+ -surfaceflinger
+ -system_server
+ -zygote
+} cgroup:lnk_file r_file_perms;
auditallow {
domain_deprecated
-appdomain