From 19425d3ecba5638b8c95a4e7d4b10a78bfc0f97e Mon Sep 17 00:00:00 2001
From: Alan Stokes <alanstokes@google.com>
Date: Wed, 28 Mar 2018 15:07:59 +0100
Subject: [PATCH] Stop O_CREAT logspam in permissive mode.

In permissive mode we get more spurious denials when O_CREAT is used
with an already-existing file. They're harmless so we don't need to
audit them.

Example denials:
denied { add_name } for name="trigger" scontext=u:r:init:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=dir permissive=1
denied { create } for name="trigger" scontext=u:r:init:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=file permissive=1

Bug: 72643420
Bug: 74182216

Test: Device boots, denials gone.
Change-Id: I54b1a0c138ff5167f1d1d12c4b0b9e9afaa5bca0
(cherry picked from commit 7d4294cb4f49057300b69fe77deca8bd0a0604a0)
---
 public/domain.te | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/public/domain.te b/public/domain.te
index ed567ae89..0027efa37 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1333,3 +1333,12 @@ neverallow domain {
 
 dontaudit domain proc_type:dir write;
 dontaudit domain sysfs_type:dir write;
+
+# These are only needed in permissive mode - in enforcing mode the
+# directory write check fails and so these are never attempted.
+userdebug_or_eng(`
+  dontaudit domain proc_type:dir add_name;
+  dontaudit domain sysfs_type:dir add_name;
+  dontaudit domain proc_type:file create;
+  dontaudit domain sysfs_type:file create;
+')
-- 
GitLab