commit a1b45600882032aab5b13381a636734f0a3f91f0
author Jeff Vander Stoep <jeffv@google.com> Fri Feb 10 09:39:37 2017 -0800
committer Nick Kralevich <nnk@google.com> Fri Feb 10 12:06:38 2017 -0800
tree 4f06cc5d1705d5da27979bd1a8052b10113e3d21
parent 009106189d16e415c5540cc23fd360dad9930357

Remove logspam

Grant observed uses of permissions being audited in domain_deprecated.

fsck
avc: granted { getattr } for path="/" dev="dm-0" ino=2 scontext=u:r:fsck:s0 tcontext=u:object_r:rootfs:s0 tclass=dir

keystore
avc: granted { read open } for path="/vendor/lib64/hw" dev="dm-1" ino=168 scontext=u:r:keystore:s0 tcontext=u:object_r:system_file:s0 tclass=dir

sdcardd
avc: granted { read open } for path="/proc/filesystems" dev="proc" ino=4026532412 scontext=u:r:sdcardd:s0 tcontext=u:object_r:proc:s0 tclass=file

update_engine
avc: granted { getattr } for path="/proc/misc" dev="proc" ino=4026532139 scontext=u:r:update_engine:s0 tcontext=u:object_r:proc:s0 tclass=file
avc: granted { read open } for path="/proc/misc" dev="proc" ino=4026532139 scontext=u:r:update_engine:s0 tcontext=u:object_r:proc:s0 tclass=file
avc: granted { read } for name="hw" dev="dm-1" ino=168 scontext=u:r:update_engine:s0 tcontext=u:object_r:system_file:s0 tclass=dir

vold
avc: granted { read open } for path="/vendor/lib64/hw" dev="dm-1" ino=168 scontext=u:r:vold:s0 tcontext=u:object_r:system_file:s0 tclass=dir

Test: Marlin builds and boots, avc granted messages no longer observed.
Bug: 35197529
Change-Id: Iae34ae3b9e22ba7550cf7d45dc011ab043e63424

public/domain_deprecated.te

diff --git a/public/domain_deprecated.te b/public/domain_deprecated.te
index a732332..96f32b9 100644
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te
@@ -17,7 +17,19 @@
 allow domain_deprecated rootfs:dir r_dir_perms;
 allow domain_deprecated rootfs:file r_file_perms;
 allow domain_deprecated rootfs:lnk_file r_file_perms;
-auditallow { domain_deprecated -healthd -init -installd -servicemanager -system_server -ueventd -uncrypt -vold -zygote } rootfs:dir { open getattr read ioctl lock }; # search granted in domain
+auditallow {
+  domain_deprecated
+  -fsck
+  -healthd
+  -init
+  -installd
+  -servicemanager
+  -system_server
+  -ueventd
+  -uncrypt
+  -vold
+  -zygote
+} rootfs:dir { open getattr read ioctl lock }; # search granted in domain
 auditallow { domain_deprecated -healthd -init -installd  -servicemanager -system_server -ueventd -uncrypt -vold -zygote } rootfs:file r_file_perms;
 auditallow { domain_deprecated -appdomain -healthd -init -installd -servicemanager -system_server -ueventd -uncrypt -vold -zygote } rootfs:lnk_file { getattr open ioctl lock }; # read granted in domain
 
@@ -30,9 +42,12 @@
   -fingerprintd
   -init
   -installd
+  -keystore
   -rild
   -surfaceflinger
   -system_server
+  -update_engine
+  -vold
   -zygote
 } system_file:dir { open read ioctl lock }; # search getattr in domain
 auditallow {
@@ -81,7 +96,17 @@
 r_dir_file(domain_deprecated, cgroup)
 allow domain_deprecated proc_meminfo:file r_file_perms;
 #auditallow domain_deprecated proc:dir r_dir_perms; # r_dir_perms granted in domain
-auditallow { domain_deprecated -fsck -fsck_untrusted -init -rild -system_server -vold } proc:file r_file_perms;
+auditallow {
+  domain_deprecated
+  -fsck
+  -fsck_untrusted
+  -init
+  -rild
+  -sdcardd
+  -system_server
+  -update_engine
+  -vold
+} proc:file r_file_perms;
 auditallow { domain_deprecated -fsck -fsck_untrusted -init -rild -system_server -vold } proc:lnk_file { open ioctl lock }; # getattr read granted in domain
 auditallow { domain_deprecated -bluetooth -fingerprintd -healthd -init -netd -rild -system_app -surfaceflinger -system_server -tee -ueventd -vold -wpa } sysfs:dir { open getattr read ioctl lock }; # search granted in domain
 auditallow { domain_deprecated -bluetooth -fingerprintd -healthd -init -netd -rild -system_app -surfaceflinger -system_server -tee -ueventd -vold -wpa } sysfs:file r_file_perms;