Suppress denials for non-API access avc: denied { read } scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:proc_version:s0 tclass=file avc: denied { read } scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:wifi_prop:s0 tclass=file avc: denied { read } scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:net_dns_prop:s0 tclass=file Bug: 72151306 Test: build Change-Id: I4b658ccd128746356f635ca7955385a89609eea1

commit: 6d8a876a4c52599b5abb1e86cfa2a3f4e866ac6d [log] [tgz]
author: Jeff Vander Stoep <jeffv@google.com> Thu Jan 18 08:55:02 2018 -0800
committer: Jeff Vander Stoep <jeffv@google.com> Thu Jan 18 08:55:02 2018 -0800
tree: 8df7685ace9bf8f8c2942da3ae670e02bca5c1eb
parent: 97753529fdcb96e2c8c691d89069710ce75c3fcb [diff]
diff --git a/private/priv_app.te b/private/priv_app.te
index 9909e06..ec52d56 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te

@@ -122,11 +122,14 @@
 allow priv_app traced_tmpfs:file { read write getattr map };
 unix_socket_connect(priv_app, traced_producer, traced)
 
-# suppress denials when safetynet scans /system
+# suppress denials for non-API accesses.
 dontaudit priv_app exec_type:file getattr;
 dontaudit priv_app device:dir read;
 dontaudit priv_app proc_interrupts:file read;
 dontaudit priv_app proc_modules:file read;
+dontaudit priv_app proc_version:file read;
+dontaudit priv_app wifi_prop:file read;
+dontaudit priv_app net_dns_prop:file read;
 
 # allow privileged apps to use UDP sockets provided by the system server but not
 # modify them other than to connect
commit	6d8a876a4c52599b5abb1e86cfa2a3f4e866ac6d	[log] [tgz]
author	Jeff Vander Stoep <jeffv@google.com>	Thu Jan 18 08:55:02 2018 -0800
committer	Jeff Vander Stoep <jeffv@google.com>	Thu Jan 18 08:55:02 2018 -0800
tree	8df7685ace9bf8f8c2942da3ae670e02bca5c1eb
parent	97753529fdcb96e2c8c691d89069710ce75c3fcb [diff]