From 2d0d28662d6f4d6ce33bfdb5140acb7830cc30d6 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Fri, 9 Jun 2017 11:34:26 -0700
Subject: [PATCH] Clean up logspam for cgroup access

These permissions are granted to domain. Remove audit statements
for them in domain deprecated.

avc: granted { search } for pid=905 comm="update_engine" name="/"
dev="cgroup" ino=1 scontext=u:r:update_engine:s0
tcontext=u:object_r:cgroup:s0 tclass=dir duplicate messages suppressed
avc: granted { open } for pid=905 comm="update_engine"
path="/dev/cpuset/foreground/tasks" dev="cgroup" ino=25
scontext=u:r:update_engine:s0 tcontext=u:object_r:cgroup:s0 tclass=file

Test: build and boot Marlin
Change-Id: Ib2a61e5f5476ff761d0e5ecde57ba7a1777a73e9
---
 private/domain_deprecated.te | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/private/domain_deprecated.te b/private/domain_deprecated.te
index 43f11357b..815141a19 100644
--- a/private/domain_deprecated.te
+++ b/private/domain_deprecated.te
@@ -253,7 +253,7 @@ auditallow {
   -surfaceflinger
   -system_server
   -zygote
-} cgroup:dir r_dir_perms;
+} cgroup:dir { open getattr read ioctl lock }; # search granted to domain
 auditallow {
   domain_deprecated
   -appdomain
@@ -267,7 +267,21 @@ auditallow {
   -surfaceflinger
   -system_server
   -zygote
-} cgroup:{ file lnk_file } r_file_perms;
+} cgroup:file { getattr read ioctl }; # open and lock granted to domain
+auditallow {
+  domain_deprecated
+  -appdomain
+  -dumpstate
+  -fingerprintd
+  -healthd
+  -inputflinger
+  -installd
+  -keystore
+  -netd
+  -surfaceflinger
+  -system_server
+  -zygote
+} cgroup:lnk_file r_file_perms;
 auditallow {
   domain_deprecated
   -appdomain
-- 
GitLab