Merge "Get rid of more auditallow spam" am: 82b9182e am: fa418650

am: ce35d133 Change-Id: I7307ba97d59b174b39a1188c95495e9538d2e77e

Merge "Get rid of more auditallow spam" am: 82b9182e am: fa418650
324efbce · Nick Kralevich · android-build-merger · b6c9f6dd · ce35d133 · 324efbce
Commit 324efbce authored 8 years ago by Nick Kralevich Committed by android-build-merger 8 years ago
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te
@@ -79,6 +79,7 @@ auditallow {
  -debuggerd
  -dex2oat
  -dumpstate
+  -init
  -installd
  -system_server
  -zygote
@@ -115,8 +116,38 @@ auditallow { domain_deprecated -bluetooth -fingerprintd -healthd -init -netd -pr
 auditallow { domain_deprecated -bluetooth -fingerprintd -healthd -init -netd -priv_app -rild -system_app -surfaceflinger -system_server -tee -ueventd -vold -wpa } sysfs:lnk_file { getattr open ioctl lock }; # read granted in domain
 auditallow domain_deprecated inotify:dir r_dir_perms;
 auditallow domain_deprecated inotify:{ file lnk_file } r_file_perms;
-auditallow { domain_deprecated -appdomain -fingerprintd -healthd -init -inputflinger -installd -keystore -netd -rild -surfaceflinger -system_server -zygote } cgroup:dir r_dir_perms;
+auditallow {
-auditallow { domain_deprecated -appdomain -fingerprintd -healthd -init -inputflinger -installd -keystore -netd -rild -surfaceflinger -system_server -zygote } cgroup:{ file lnk_file } r_file_perms;
+  domain_deprecated
+  -appdomain
+  -dumpstate
+  -fingerprintd
+  -healthd
+  -init
+  -inputflinger
+  -installd
+  -keystore
+  -netd
+  -rild
+  -surfaceflinger
+  -system_server
+  -zygote
+} cgroup:dir r_dir_perms;
+auditallow {
+  domain_deprecated
+  -appdomain
+  -dumpstate
+  -fingerprintd
+  -healthd
+  -init
+  -inputflinger
+  -installd
+  -keystore
+  -netd
+  -rild
+  -surfaceflinger
+  -system_server
+  -zygote
+} cgroup:{ file lnk_file } r_file_perms;
 auditallow { domain_deprecated -appdomain -init -priv_app -surfaceflinger -system_server -vold } proc_meminfo:file r_file_perms;
 auditallow { domain_deprecated -appdomain -clatd -init -netd -system_server -vold -wpa -zygote } proc_net:dir { open getattr read ioctl lock }; # search granted in domain
 auditallow {

--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -95,6 +95,9 @@ allow dumpstate { storage_file block_device }:dir { search getattr };
 allow dumpstate fuse_device:chr_file getattr;
 allow dumpstate { dm_device cache_block_device }:blk_file getattr;
+# Read /dev/cpuctl and /dev/cpuset
+r_dir_file(dumpstate, cgroup)
 # Allow dumpstate to make binder calls to any binder service
 binder_call(dumpstate, binderservicedomain)
 binder_call(dumpstate, { appdomain ephemeral_app netd wificond })