From 569e22e86f9ee526257f873717278b5cec79064f Mon Sep 17 00:00:00 2001
From: Tri Vo <trong@google.com>
Date: Fri, 16 Mar 2018 16:08:31 -0700
Subject: [PATCH] netd: silence innocuous denials to /proc and /sys

Bug: 74586749
Test: build policy
Change-Id: I72a3b7c38eb9030ffac0d2dde23a9ff7c26fd70a
---
 public/netd.te | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/public/netd.te b/public/netd.te
index 0e9e08ca7..c056ea9b6 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -146,3 +146,12 @@ neverallow { domain -netd -init } netd_stable_secret_prop:file r_file_perms;
 # We want to ensure that no other process ever tries tampering with persist.netd.stable_secret,
 # the RFC 7217 secret key managed by netd. Doing so could compromise user privacy.
 neverallow { domain -netd -init } netd_stable_secret_prop:property_service set;
+
+# If an already existing file is opened with O_CREATE, the kernel might generate
+# a false report of a create denial. Silence these denials and make sure that
+# inappropriate permissions are not granted.
+neverallow netd proc_net:dir no_w_dir_perms;
+dontaudit netd proc_net:dir write;
+
+neverallow netd sysfs_net:dir no_w_dir_perms;
+dontaudit netd sysfs_net:dir write;
-- 
GitLab