Prevent apps from causing presubmit failures
Apps can cause selinux denials by accessing CE storage
and/or external storage. In either case, the selinux denial is
not the cause of the failure, but just a symptom that
storage isn't ready. Many apps handle the failure appropriately.
These denials are not helpful, are not the cause of a problem,
spam the logs, and cause presubmit flakes. Suppress them.
Bug: 145267097
Test: build
Change-Id: If87b9683e5694fced96a81747b1baf85ef6b2124
diff --git a/private/app.te b/private/app.te
index e8397ef..5590ca5 100644
--- a/private/app.te
+++ b/private/app.te
@@ -4,6 +4,22 @@
userdebug_or_eng(`perfetto_producer({ appdomain })')
+# Prevent apps from causing presubmit failures.
+# Apps can cause selinux denials by accessing CE storage
+# and/or external storage. In either case, the selinux denial is
+# not the cause of the failure, but just a symptom that
+# storage isn't ready. Many apps handle the failure appropriately.
+#
+# Apps cannot access external storage before it becomes available.
+dontaudit appdomain storage_stub_file:dir getattr;
+# Attempts to write to system_data_file is generally a sign
+# that apps are attempting to access encrypted storage before
+# the ACTION_USER_UNLOCKED intent is delivered. Apps are not
+# allowed to write to CE storage before it's available.
+# Attempting to do so will be blocked by both selinux and unix
+# permissions.
+dontaudit appdomain system_data_file:dir write;
+
neverallow appdomain system_server:udp_socket {
accept append bind create ioctl listen lock name_bind
relabelfrom relabelto setattr shutdown };
diff --git a/private/bug_map b/private/bug_map
index 076aeba..c6c8278 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -1,7 +1,5 @@
-bluetooth storage_stub_file dir b/145267097
dnsmasq netd fifo_file b/77868789
dnsmasq netd unix_stream_socket b/77868789
-gmscore_app storage_stub_file dir b/145267097
gmscore_app system_data_file dir b/146166941
init app_data_file file b/77873135
init cache_file blk_file b/77873135
@@ -26,15 +24,9 @@
netd untrusted_app_25 unix_stream_socket b/77870037
netd untrusted_app_27 unix_stream_socket b/77870037
platform_app nfc_data_file dir b/74331887
-platform_app storage_stub_file dir b/145267097
-priv_app storage_stub_file dir b/145267097
system_server crash_dump process b/73128755
system_server overlayfs_file file b/142390309
system_server sdcardfs file b/77856826
-system_server storage_stub_file dir b/145267097
system_server zygote process b/77856826
-untrusted_app storage_stub_file dir b/145267097
-untrusted_app_25 storage_stub_file dir b/145267097
-untrusted_app_27 storage_stub_file dir b/145267097
vold system_data_file file b/124108085
zygote untrusted_app_25 process b/77925912
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index 5c01eab..a5555ac 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -63,15 +63,6 @@
dontaudit gmscore_app sysfs_loop:file r_file_perms;
dontaudit gmscore_app wifi_prop:file r_file_perms;
dontaudit gmscore_app { wifi_prop exported_wifi_prop }:file r_file_perms;
-
-
-# Attempts to write to system_data_file is generally a sign
-# that apps are attempting to access encrypted storage before
-# the ACTION_USER_UNLOCKED intent is delivered. Suppress this
-# denial to prevent apps from spamming the logs.
-dontaudit gmscore_app system_data_file:dir write;
-
-# suppress denials for scanning /data_mirror
dontaudit gmscore_app mirror_data_file:dir search;
# Access the network
diff --git a/private/priv_app.te b/private/priv_app.te
index f1da201..3b78e4a 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -213,12 +213,6 @@
allow priv_app system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
-# Attempts to write to system_data_file is generally a sign
-# that apps are attempting to access encrypted storage before
-# the ACTION_USER_UNLOCKED intent is delivered. Suppress this
-# denial to prevent apps from spamming the logs.
-dontaudit priv_app system_data_file:dir write;
-
###
### neverallow rules
###
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index f37cadc..d8e0b14 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -162,12 +162,6 @@
# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
create_pty(untrusted_app_all)
-# Attempts to write to system_data_file is generally a sign
-# that apps are attempting to access encrypted storage before
-# the ACTION_USER_UNLOCKED intent is delivered. Suppress this
-# denial to prevent third party apps from spamming the logs.
-dontaudit untrusted_app_all system_data_file:dir write;
-
# Allow access to kcov via its ioctl interface for coverage
# guided kernel fuzzing.
userdebug_or_eng(`