Merge "suppress su behavior when running lsof"

commit: 92f87ac0b934ca9b23fa33d64e56effa87833feb [log] [tgz]
author: Adam Shih <adamshih@google.com> Wed Mar 23 05:03:02 2022 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Wed Mar 23 05:03:02 2022 +0000
tree: 742eac3d7b6da09298c1673ef22bed8a202585f3
parent: 3a8977155ce7855fb21d3771015722a3d9017f4c [diff]
parent: 643d2439c219a05f19d703e301d4c8ac88a87664 [diff]
diff --git a/microdroid/system/private/init.te b/microdroid/system/private/init.te
index ff75f75..708d537 100644
--- a/microdroid/system/private/init.te
+++ b/microdroid/system/private/init.te

@@ -45,8 +45,9 @@
 allow init runtime_event_log_tags_file:file { open write setattr relabelto create };
 # /dev/socket
 allow init { device socket_device dm_user_device }:dir relabelto;
-# Relabel /dev nodes created in first stage init, /dev/null, /dev/ptmx, /dev/random, /dev/urandom
-allow init { null_device ptmx_device random_device } : chr_file relabelto;
+# Relabel /dev nodes created in first stage init: /dev/console, /dev/null, /dev/ptmx, /dev/random
+# and /dev/urandom
+allow init { console_device null_device ptmx_device random_device } : chr_file relabelto;
 # /dev/device-mapper, /dev/block(/.*)?
 allow init tmpfs:{ chr_file blk_file } relabelfrom;
 allow init tmpfs:blk_file getattr;

diff --git a/microdroid/system/private/ueventd.te b/microdroid/system/private/ueventd.te
index c7d9fd6..a855509 100644
--- a/microdroid/system/private/ueventd.te
+++ b/microdroid/system/private/ueventd.te

@@ -49,8 +49,5 @@
 # ueventd is using bootstrap bionic
 use_bootstrap_libs(ueventd)
 
-# TODO(b/193118220): find out why this happens.
-dontaudit ueventd tmpfs:chr_file { relabelfrom setattr };
-
 # ueventd sets ro.cold_boot_done to signal to init that cold boot has completed.
 set_prop(ueventd, cold_boot_done_prop)

diff --git a/public/init.te b/public/init.te
index d1f7d90..5139038 100644
--- a/public/init.te
+++ b/public/init.te

@@ -36,8 +36,9 @@
 allow init { device socket_device dm_user_device }:dir relabelto;
 # allow init to establish connection and communicate with lmkd
 unix_socket_connect(init, lmkd, lmkd)
-# Relabel /dev nodes created in first stage init, /dev/null, /dev/ptmx, /dev/random, /dev/urandom
-allow init { null_device ptmx_device random_device } : chr_file relabelto;
+# Relabel /dev nodes created in first stage init: /dev/console, /dev/null, /dev/ptmx, /dev/random
+# and /dev/urandom
+allow init { console_device null_device ptmx_device random_device } : chr_file relabelto;
 # /dev/device-mapper, /dev/block(/.*)?
 allow init tmpfs:{ chr_file blk_file } relabelfrom;
 allow init tmpfs:blk_file getattr;
commit	92f87ac0b934ca9b23fa33d64e56effa87833feb	[log] [tgz]
author	Adam Shih <adamshih@google.com>	Wed Mar 23 05:03:02 2022 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Wed Mar 23 05:03:02 2022 +0000
tree	742eac3d7b6da09298c1673ef22bed8a202585f3
parent	3a8977155ce7855fb21d3771015722a3d9017f4c [diff]
parent	643d2439c219a05f19d703e301d4c8ac88a87664 [diff]