Don't emit audit logs for dumpstate->keystore aosp/1696825 added the ability for dumpstate to signal Keystore on debuggable builds, but this means that there will be an audit denial message on non-debuggable builds. Suppress this, in particular so that the test mentioned below can pass on -user builds. Bug: 269672964 Test: CtsSecurityHostTestCases:android.security.cts.SELinuxHostTest#testNoBugreportDenial Change-Id: I68a41f6b94d615f80e4d1490ec4159436693dce2

commit: e1075f7c0c252908f64a522b535a20075cbc1d3d [log] [tgz]
author: David Drysdale <drysdale@google.com> Fri Mar 17 12:21:32 2023 +0000
committer: David Drysdale <drysdale@google.com> Tue Mar 21 09:16:47 2023 +0000
tree: 6ddeded6d7bf7b786ddb7ea2fb74261b76fc3fcc
parent: 6ad15b7c74b45c5696206823c6451c2b5af5e78f [diff] [blame]
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 850b0d8..b369797 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te

@@ -66,9 +66,11 @@
   netd
 }:process signal;
 
+# Only allow dumpstate to dump Keystore on debuggable builds.
 userdebug_or_eng(`
   allow dumpstate keystore:process signal;
 ')
+dontaudit dumpstate keystore:process { signal };
 
 # For collecting bugreports.
 no_debugfs_restriction(`
commit	e1075f7c0c252908f64a522b535a20075cbc1d3d	[log] [tgz]
author	David Drysdale <drysdale@google.com>	Fri Mar 17 12:21:32 2023 +0000
committer	David Drysdale <drysdale@google.com>	Tue Mar 21 09:16:47 2023 +0000
tree	6ddeded6d7bf7b786ddb7ea2fb74261b76fc3fcc
parent	6ad15b7c74b45c5696206823c6451c2b5af5e78f [diff] [blame]