commit a60ac31fcb47b6c4142e44f9fa7b9fbdcef3944d
author Treehugger Robot <treehugger-gerrit@google.com> Mon Mar 08 11:26:35 2021 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Mon Mar 08 11:26:35 2021 +0000
tree 06730901b8889d2176a0bcca16e304a856dd31f4
parent f6f2a79a2acd0b1c85bc3eeb83414bcc60a60553
parent d240d2be776496ff683894f1bbc7a16fee1ff5c2

Merge "Dontaudit zygote to read and open media_rw_data_file dir"

private/zygote.te

diff --git a/private/zygote.te b/private/zygote.te
index 83323c9..5f24115 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -197,9 +197,11 @@
 # undesirable, so suppress the denial.
 dontaudit zygote self:global_capability_class_set { sys_resource fsetid };
 
-# Ignore spurious denials calling access() on fuse
+# Ignore spurious denials calling access() on fuse.
+# Also ignore read and open as sdcardfs may read and open dir when app tries to access a dir that
+# doesn't exist.
 # TODO(b/151316657): avoid the denials
-dontaudit zygote media_rw_data_file:dir setattr;
+dontaudit zygote media_rw_data_file:dir  { read open setattr };
 
 # Allow zygote to use ashmem fds from system_server.
 allow zygote system_server:fd use;