Copy a dontaudit from init to vendor_init Copy init's dontaudit for sysfs:dir write; to calm the below denials: avc: denied { write } for pid=542 comm="init" name="1da4000.ufshc" dev="sysfs" ino=21752 scontext=u:r:vendor_init:s0 tcontext=u:object_r:sysfs:s0 tclass=dir permissive=1 avc: denied { write } for pid=542 comm="init" name="1da4000.ufshc" dev="sysfs" ino=21752 scontext=u:r:vendor_init:s0 tcontext=u:object_r:sysfs:s0 tclass=dir permissive=1 Bug: 62875318 Test: use pixel + factory reset + vendor_init Change-Id: I686b51c4f340b3565ea24f00516ebde846be7a89

commit: 63492cd6250a0878af079a388658002f37946b11 [log] [tgz]
author: Tom Cherry <tomcherry@google.com> Wed Nov 15 14:57:14 2017 -0800
committer: Tom Cherry <tomcherry@google.com> Wed Nov 15 14:57:14 2017 -0800
tree: 6c919c85793cb6e025db8d5347180e469308f459
parent: 29fc85eeab3077a8aa8515e9326b4b39960df939 [diff] [blame]
diff --git a/private/vendor_init.te b/private/vendor_init.te
index c99d96f..5d97f72 100644
--- a/private/vendor_init.te
+++ b/private/vendor_init.te

@@ -1,2 +1,6 @@
 typeattribute vendor_init coredomain;
 
+# Creating files on sysfs is impossible so this isn't a threat
+# Sometimes we have to write to non-existent files to avoid conditional
+# init behavior. See b/35303861 for an example.
+dontaudit vendor_init sysfs:dir write;
commit	63492cd6250a0878af079a388658002f37946b11	[log] [tgz]
author	Tom Cherry <tomcherry@google.com>	Wed Nov 15 14:57:14 2017 -0800
committer	Tom Cherry <tomcherry@google.com>	Wed Nov 15 14:57:14 2017 -0800
tree	6c919c85793cb6e025db8d5347180e469308f459
parent	29fc85eeab3077a8aa8515e9326b4b39960df939 [diff] [blame]