Merge "Suppress harmless denials for file creation in cgroupfs."

9a76c280 · Treehugger Robot · Gerrit Code Review · 2c36eb6d · 832a7042 · 9a76c280
Commit 9a76c280 authored 6 years ago by Treehugger Robot Committed by Gerrit Code Review 6 years ago
--- a/private/init.te
+++ b/private/init.te
@@ -25,3 +25,8 @@ userdebug_or_eng(`
 # Sometimes we have to write to non-existent files to avoid conditional
 # init behavior. See b/35303861 for an example.
 dontaudit init sysfs:dir write;
+
+# Suppress false positives when using O_CREAT
+# to open a file that already exists.
+# There's a neverallow rule for this in domain.te
+dontaudit init cgroup:file create;
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -134,3 +134,8 @@ neverallow zygote {

 # Do not allow access to Bluetooth-related system properties and files
 neverallow zygote bluetooth_prop:file create_file_perms;
+
+# Suppress false positives when using O_CREAT
+# to open a file that already exists.
+# There's a neverallow rule for this in domain.te
+dontaudit zygote cgroup:file create;
--- a/public/domain.te
+++ b/public/domain.te
@@ -1331,6 +1331,13 @@ neverallow domain {
  sysfs_type
 }:dir { add_name create link remove_name rename reparent rmdir write };

+# cgroupfs directories can be created, but not files within them
+# TODO(b/74182216): Remove the installd allow when we're sure it's not used
+neverallow {
+  domain
+  -installd
+} cgroup:file create;
+
 dontaudit domain proc_type:dir write;
 dontaudit domain sysfs_type:dir write;