Get rid of auditallow spam.

am: 79a08e13 Change-Id: Iee32c3aab31156606142101a0f85a10383cdf712

Get rid of auditallow spam.
6f2f72c2 · Nick Kralevich · android-build-merger · 14742b0f · 79a08e13 · 6f2f72c2
Commit 6f2f72c2 authored 8 years ago by Nick Kralevich Committed by android-build-merger 8 years ago
--- a/public/domain.te
+++ b/public/domain.te
@@ -108,6 +108,7 @@ auditallow {
  domain
  -appdomain
  -dex2oat
+  -dumpstate
  -recovery
  -zygote
 } libart_file:file { execute read open getattr };

--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te
@@ -62,8 +62,27 @@ auditallow { domain_deprecated -appdomain -dex2oat -installd -system_server } ap
 # Read /data/dalvik-cache.
 allow domain_deprecated dalvikcache_data_file:dir { search getattr };
 allow domain_deprecated dalvikcache_data_file:file r_file_perms;
-auditallow { domain_deprecated -appdomain -debuggerd -dex2oat -init -installd -system_server -zygote } dalvikcache_data_file:dir { search getattr };
+auditallow {
-auditallow { domain_deprecated -appdomain -debuggerd -dex2oat -installd -system_server -zygote } dalvikcache_data_file:file r_file_perms;
+  domain_deprecated
+  -appdomain
+  -debuggerd
+  -dex2oat
+  -dumpstate
+  -init
+  -installd
+  -system_server
+  -zygote
+} dalvikcache_data_file:dir { search getattr };
+auditallow {
+  domain_deprecated
+  -appdomain
+  -debuggerd
+  -dex2oat
+  -dumpstate
+  -installd
+  -system_server
+  -zygote
+} dalvikcache_data_file:file r_file_perms;
 # Read already opened /cache files.
 allow domain_deprecated cache_file:dir r_dir_perms;
@@ -100,7 +119,18 @@ auditallow { domain_deprecated -appdomain -fingerprintd -healthd -init -inputfli
 auditallow { domain_deprecated -appdomain -fingerprintd -healthd -init -inputflinger -installd -keystore -netd -rild -surfaceflinger -system_server -zygote } cgroup:{ file lnk_file } r_file_perms;
 auditallow { domain_deprecated -appdomain -init -priv_app -surfaceflinger -system_server -vold } proc_meminfo:file r_file_perms;
 auditallow { domain_deprecated -appdomain -clatd -init -netd -system_server -vold -wpa -zygote } proc_net:dir { open getattr read ioctl lock }; # search granted in domain
-auditallow { domain_deprecated -appdomain -clatd -init -netd -system_server -vold -wpa -zygote } proc_net:{ file lnk_file } r_file_perms;
+auditallow {
+  domain_deprecated
+  -appdomain
+  -clatd
+  -dumpstate
+  -init
+  -netd
+  -system_server
+  -vold
+  -wpa
+  -zygote
+} proc_net:{ file lnk_file } r_file_perms;
 # Get SELinux enforcing status.
 allow domain_deprecated selinuxfs:dir r_dir_perms;

--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -118,7 +118,9 @@ allow dumpstate ashmem_device:chr_file execute;
 allow dumpstate dumpstate_tmpfs:file execute;
 allow dumpstate self:process execmem;
 # For art.
-allow dumpstate dalvikcache_data_file:file execute;
+allow dumpstate libart_file:file { r_file_perms execute };
+allow dumpstate dalvikcache_data_file:dir { search getattr };
+allow dumpstate dalvikcache_data_file:file { r_file_perms execute };
 allow dumpstate dalvikcache_data_file:lnk_file r_file_perms;
 # For Bluetooth
@@ -133,6 +135,9 @@ allow dumpstate gpu_device:chr_file rw_file_perms;
 read_logd(dumpstate)
 control_logd(dumpstate)
+# Read /proc/net
+allow dumpstate proc_net:file r_file_perms;
 # Read network state info files.
 allow dumpstate net_data_file:dir search;
 allow dumpstate net_data_file:file r_file_perms;