Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 832a7042b0f977b6b0eead33b0265813832b06ed^! / .
commit832a7042b0f977b6b0eead33b0265813832b06ed[log] [tgz]
authorAlan Stokes <alanstokes@google.com>Mon Mar 26 17:06:23 2018 +0100
committerJoel Galenson <jgalenson@google.com>Thu Mar 29 10:18:54 2018 -0700
treef06ca0af180f361f71146d1115f47af8fc6169f1
parent4bdefb59ca96cbd034c400235515fecfc9568f67 [diff]
Suppress harmless denials for file creation in cgroupfs.

The kernel generates file creation audits when O_CREAT is passed even
if the file already exists - which it always does in the cgroup cases.

We add neverallow rules to prevent mistakenly allowing unnecessary
create access. We also suppress these denials, which just add noise to
the log, for the more common culprits.

Bug: 72643420
Bug: 74182216

Test: Ran build_policies.sh and checked failures were unrelated.
Test: Device still boots, denials gone.
Change-Id: I034b41ca70da1e73b81fe90090e656f4a3b542dc
(cherry picked from commit 92c149d07744ae589d47602c7971371ee7dc7ab0)

diff --git a/private/init.te b/private/init.te
index 5464865..50b1c94 100644
--- a/private/init.te
+++ b/private/init.te

@@ -25,3 +25,8 @@
 # Sometimes we have to write to non-existent files to avoid conditional
 # init behavior. See b/35303861 for an example.
 dontaudit init sysfs:dir write;
+
+# Suppress false positives when using O_CREAT
+# to open a file that already exists.
+# There's a neverallow rule for this in domain.te
+dontaudit init cgroup:file create;

diff --git a/private/zygote.te b/private/zygote.te
index 4ea401d..ab707f1 100644
--- a/private/zygote.te
+++ b/private/zygote.te

@@ -134,3 +134,8 @@
 
 # Do not allow access to Bluetooth-related system properties and files
 neverallow zygote bluetooth_prop:file create_file_perms;
+
+# Suppress false positives when using O_CREAT
+# to open a file that already exists.
+# There's a neverallow rule for this in domain.te
+dontaudit zygote cgroup:file create;

diff --git a/public/domain.te b/public/domain.te
index 0027efa..0652648 100644
--- a/public/domain.te
+++ b/public/domain.te

@@ -1331,6 +1331,13 @@
   sysfs_type
 }:dir { add_name create link remove_name rename reparent rmdir write };
 
+# cgroupfs directories can be created, but not files within them
+# TODO(b/74182216): Remove the installd allow when we're sure it's not used
+neverallow {
+  domain
+  -installd
+} cgroup:file create;
+
 dontaudit domain proc_type:dir write;
 dontaudit domain sysfs_type:dir write;