Merge "Add dontaudit for rs fd usage" into main
diff --git a/private/rs.te b/private/rs.te
index 906373b..2674c0e 100644
--- a/private/rs.te
+++ b/private/rs.te
@@ -32,6 +32,10 @@
# File descriptors passed from app to renderscript
allow rs { untrusted_app_all ephemeral_app priv_app }:fd use;
+# See b/291211299. Since rs is deprecated, this shouldn't be too dangerous, since new
+# renderscript usages shouldn't be popping up.
+dontaudit rs { zygote surfaceflinger hal_graphics_allocator }:fd use;
+
# rs can access app data, so ensure it can only be entered via an app domain and cannot have
# CAP_DAC_OVERRIDE.
neverallow rs rs:capability_class_set *;