Suppress denials for apps accessing storage too early The recommended solution is to not access encrypted storage until after the ACTION_USER_UNLOCKED intent is delivered. Test: build Fixes: 72811052 Fixes: 72550646 Change-Id: I80eb743e26047b7864de983c5a46c28b6f753a59

commit: 9c7396d554f4cd6be69e609e8b1d65c243c5eb90 [log] [tgz]
author: Jeff Vander Stoep <jeffv@google.com> Fri Jun 01 12:12:11 2018 -0700
committer: Jeffrey Vander Stoep <jeffv@google.com> Fri Jun 01 19:15:55 2018 +0000
tree: 6f43d93933629e12b7b3161480fa12f20d1a452b
parent: 1156d59389efd542a81922f299caeee2cfe74a4f [diff] [blame]
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index b2c4f40..c9bf65f 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te

@@ -150,3 +150,9 @@
     -proc_net_vpn
   }:{ dir file lnk_file } { getattr open read };
 ')
+
+# Attempts to write to system_data_file is generally a sign
+# that apps are attempting to access encrypted storage before
+# the ACTION_USER_UNLOCKED intent is delivered. Suppress this
+# denial to prevent third party apps from spamming the logs.
+dontaudit untrusted_app_all system_data_file:dir write;
commit	9c7396d554f4cd6be69e609e8b1d65c243c5eb90	[log] [tgz]
author	Jeff Vander Stoep <jeffv@google.com>	Fri Jun 01 12:12:11 2018 -0700
committer	Jeffrey Vander Stoep <jeffv@google.com>	Fri Jun 01 19:15:55 2018 +0000
tree	6f43d93933629e12b7b3161480fa12f20d1a452b
parent	1156d59389efd542a81922f299caeee2cfe74a4f [diff] [blame]