Suppress harmless denials for file creation in cgroupfs.

The kernel generates file creation audits when O_CREAT is passed even if the file already exists - which it always does in the cgroup cases. We add neverallow rules to prevent mistakenly allowing unnecessary create access. We also suppress these denials, which just add noise to the log, for the more common culprits. Bug: 72643420 Bug: 74182216 Test: Ran build_policies.sh and checked failures were unrelated. Test: Device still boots, denials gone. Change-Id: I034b41ca70da1e73b81fe90090e656f4a3b542dc

Suppress harmless denials for file creation in cgroupfs.
92c149d0 · Alan Stokes · c417b39f · 92c149d0 · 92c149d0 · 92c149d0
Commit 92c149d0 authored 6 years ago by Alan Stokes
--- a/private/init.te
+++ b/private/init.te
@@ -25,3 +25,8 @@ userdebug_or_eng(`
 # Sometimes we have to write to non-existent files to avoid conditional
 # init behavior. See b/35303861 for an example.
 dontaudit init sysfs:dir write;
+
+# Suppress false positives when using O_CREAT
+# to open a file that already exists.
+# There's a neverallow rule for this in domain.te
+dontaudit init cgroup:file create;
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -134,3 +134,8 @@ neverallow zygote {

 # Do not allow access to Bluetooth-related system properties and files
 neverallow zygote bluetooth_prop:file create_file_perms;
+
+# Suppress false positives when using O_CREAT
+# to open a file that already exists.
+# There's a neverallow rule for this in domain.te
+dontaudit zygote cgroup:file create;
--- a/public/domain.te
+++ b/public/domain.te
@@ -1333,6 +1333,13 @@ neverallow domain {
  sysfs_type
 }:dir { add_name create link remove_name rename reparent rmdir write };

+# cgroupfs directories can be created, but not files within them
+# TODO(b/74182216): Remove the installd allow when we're sure it's not used
+neverallow {
+  domain
+  -installd
+} cgroup:file create;
+
 dontaudit domain proc_type:dir write;
 dontaudit domain sysfs_type:dir write;