commit 9a76c280d64099411c6ebbbdf5e410232cce9c0e
author Treehugger Robot <treehugger-gerrit@google.com> Thu Mar 29 19:54:04 2018 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Thu Mar 29 19:54:04 2018 +0000
tree fdd8d50099cff211d2aa6d88301602132e947c40
parent 2c36eb6d91730ff77dd26393763a93d6ca1eb202
parent 832a7042b0f977b6b0eead33b0265813832b06ed

Merge "Suppress harmless denials for file creation in cgroupfs."

private/init.te

diff --git a/private/init.te b/private/init.te
index 5464865..50b1c94 100644
--- a/private/init.te
+++ b/private/init.te
@@ -25,3 +25,8 @@
 # Sometimes we have to write to non-existent files to avoid conditional
 # init behavior. See b/35303861 for an example.
 dontaudit init sysfs:dir write;
+
+# Suppress false positives when using O_CREAT
+# to open a file that already exists.
+# There's a neverallow rule for this in domain.te
+dontaudit init cgroup:file create;

private/zygote.te

diff --git a/private/zygote.te b/private/zygote.te
index 4ea401d..ab707f1 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -134,3 +134,8 @@
 
 # Do not allow access to Bluetooth-related system properties and files
 neverallow zygote bluetooth_prop:file create_file_perms;
+
+# Suppress false positives when using O_CREAT
+# to open a file that already exists.
+# There's a neverallow rule for this in domain.te
+dontaudit zygote cgroup:file create;

public/domain.te

diff --git a/public/domain.te b/public/domain.te
index 0027efa..0652648 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1331,6 +1331,13 @@
   sysfs_type
 }:dir { add_name create link remove_name rename reparent rmdir write };
 
+# cgroupfs directories can be created, but not files within them
+# TODO(b/74182216): Remove the installd allow when we're sure it's not used
+neverallow {
+  domain
+  -installd
+} cgroup:file create;
+
 dontaudit domain proc_type:dir write;
 dontaudit domain sysfs_type:dir write;