From 6fe899a0d1905682c3224f1a3809288dacc0ca3f Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Thu, 13 Mar 2014 16:19:25 -0400
Subject: [PATCH] Silence /proc/pid denials.

system_server components such as ActivityManager and CpuTracker
try to access all /proc/pid directories, triggering denials on
domains that are not explicitly allowed to the system_server.
Silence these denials to avoid filling the logs with noise
and overwriting actual useful messages in the kernel ring buffer.

Change-Id: Ifd6f2fd63e945647570ed61c67a6171b89878617
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 system_server.te | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/system_server.te b/system_server.te
index b59f5a359..76998a923 100644
--- a/system_server.te
+++ b/system_server.te
@@ -80,6 +80,13 @@ r_dir_file(system_server, appdomain)
 # Write to /proc/pid/oom_adj_score for apps.
 allow system_server appdomain:file write;
 
+# Silently deny access to any /proc/pid files other than
+# the ones allowed via allow rule.  Avoids filling the logs
+# with noise from /proc/pid traversals by ActivityManager,
+# CpuTracker, and possibly other system_server components.
+dontaudit system_server domain:dir r_dir_perms;
+dontaudit system_server domain:{ file lnk_file } r_file_perms;
+
 # Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid.
 allow system_server qtaguid_proc:file rw_file_perms;
 allow system_server qtaguid_device:chr_file rw_file_perms;
-- 
GitLab