Suppress denials from idmap reading installd's files. We are occasionally seeing the following SELinux denial: avc: denied { read } for comm="idmap" path="/proc/947/mounts" scontext=u:r:idmap:s0 tcontext=u:r:installd:s0 tclass=file This commit suppresses that exact denial. We believe this is occurring when idmap is forked from installd, which is reading its mounts file in another thread. Bug: 72444813 Test: Boot Walleye and test wifi and camera. Change-Id: I3440e4b00c7e5a708b562a93b304aa726b6a3ab9

commit: b050dccdd86bed1e9de9be2ebf9222d7032eb221 [log] [tgz]
author: Joel Galenson <jgalenson@google.com> Wed Jan 24 13:56:28 2018 -0800
committer: Joel Galenson <jgalenson@google.com> Thu Jan 25 10:07:19 2018 -0800
tree: e37ddf7e3a9b455ffe5f5ad9a404dde60a0a1f33
parent: 715c3a78d29c9b2c026e77f82f9895d87e8801a8 [diff]
diff --git a/private/bug_map b/private/bug_map
index 6bc55e5..2b970dd 100644
--- a/private/bug_map
+++ b/private/bug_map

@@ -9,4 +9,3 @@
 surfaceflinger unlabeled dir 68864350
 hal_graphics_composer_default unlabeled dir 68864350
 bootanim unlabeled dir 68864350
-idmap installd file 72444813

diff --git a/public/idmap.te b/public/idmap.te
index 1c32f8f..3f336a3 100644
--- a/public/idmap.te
+++ b/public/idmap.te

@@ -6,6 +6,9 @@
 allow idmap installd:fd use;
 allow idmap resourcecache_data_file:file { getattr read write };
 
+# Ignore reading /proc/<pid>/maps after a fork.
+dontaudit idmap installd:file read;
+
 # Open and read from target and overlay apk files passed by argument.
 allow idmap apk_data_file:file r_file_perms;
 allow idmap apk_data_file:dir search;
commit	b050dccdd86bed1e9de9be2ebf9222d7032eb221	[log] [tgz]
author	Joel Galenson <jgalenson@google.com>	Wed Jan 24 13:56:28 2018 -0800
committer	Joel Galenson <jgalenson@google.com>	Thu Jan 25 10:07:19 2018 -0800
tree	e37ddf7e3a9b455ffe5f5ad9a404dde60a0a1f33
parent	715c3a78d29c9b2c026e77f82f9895d87e8801a8 [diff]