From 4b7cf4fba15274386ddc3bf004e648dbe65140b8 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Mon, 26 Jun 2017 16:25:20 -0700
Subject: [PATCH] Suppress su access to pdx sockets

Su runs in permissive mode and denials should be suppressed.

avc: denied { getattr } for scontext=u:r:su:s0
tcontext=u:object_r:pdx_display_client_endpoint_socket:s0
tclass=unix_stream_socket permissive=1
avc: denied { getattr } for scontext=u:r:su:s0
tcontext=u:object_r:pdx_display_manager_endpoint_socket:s0
tclass=unix_stream_socket permissive=1
avc: denied { getattr } for scontext=u:r:su:s0
tcontext=u:object_r:pdx_display_vsync_endpoint_socket:s0
tclass=unix_stream_socket permissive=1
avc: denied { getattr } for scontext=u:r:su:s0
tcontext=u:object_r:pdx_bufferhub_client_endpoint_socket:s0
tclass=unix_stream_socket permissive=1
avc: denied { getattr } for scontext=u:r:su:s0
tcontext=u:object_r:pdx_performance_client_endpoint_socket:s0
tclass=unix_stream_socket permissive=1

Bug: 35197529
Test: policy builds
Change-Id: Ia643c6e776e5e5bd473d857d523c3be91d32c40a
---
 public/te_macros | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/public/te_macros b/public/te_macros
index d65eb889c..2d1ec0338 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -101,6 +101,10 @@ define(`pdx_service_socket_types', `
 typeattribute $2 pdx_$1_endpoint_dir_type;
 type pdx_$1_endpoint_socket, pdx_$1_endpoint_socket_type, pdx_endpoint_socket_type, file_type, coredomain_socket, mlstrustedobject, mlstrustedsubject;
 type pdx_$1_channel_socket, pdx_$1_channel_socket_type, pdx_channel_socket_type, coredomain_socket;
+userdebug_or_eng(`
+dontaudit su pdx_$1_endpoint_socket:unix_stream_socket *;
+dontaudit su pdx_$1_channel_socket:unix_stream_socket *;
+')
 ')
 
 #####################################
-- 
GitLab