From 6e88ebf4b951910df28c0f0e487c7fdccf42bae7 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Thu, 15 Jun 2017 13:13:01 -0700
Subject: [PATCH] Suppress safetynet denials

Clean up ~50 denials such as:
avc: denied { getattr } for comm="highpool[2]" path="/system/bin/bufferhubd" dev="dm-0" ino=1029 scontext=u:r:priv_app:s0:c522,c768 tcontext=u:object_r:bufferhubd_exec:s0 tclass=file
avc: denied { getattr } for comm="highpool[3]" path="/system/bin/cppreopts.sh" dev="dm-0" ino=2166 scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:cppreopts_exec:s0 tclass=file
avc: denied { getattr } for comm="CTION_IDLE_MODE" path="/system/bin/fsck.f2fs" dev="dm-0" ino=1055 scontext=u:r:priv_app:s0:c522,c768 tcontext=u:object_r:fsck_exec:s0 tclass=file

Bug: 62602225
Bug: 62485981
Test: build policy
Change-Id: I5fbc84fb6c97c325344ac95ffb09fb0cfcb90b95
---
 private/priv_app.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/private/priv_app.te b/private/priv_app.te
index 654264a45..585f46625 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -127,6 +127,9 @@ allow priv_app selinuxfs:file r_file_perms;
 
 read_runtime_log_tags(priv_app)
 
+# suppress denials when safetynet scans /system
+dontaudit priv_app exec_type:file getattr;
+
 ###
 ### neverallow rules
 ###
-- 
GitLab