From 9bbe420b42112f3a580211e3d230657459d05add Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Wed, 14 Jun 2017 10:11:12 -0700
Subject: [PATCH] recovery: clean up audit logspam

avc: granted { search } scontext=u:r:recovery:s0 tcontext=u:object_r:cache_file:s0 tclass=dir
avc: granted { getattr } scontext=u:r:recovery:s0 tcontext=u:object_r:rootfs:s0 tclass=file
avc: granted { read } scontext=u:r:recovery:s0 tcontext=u:object_r:rootfs:s0 tclass=file
avc: granted { read open } scontext=u:r:recovery:s0 tcontext=u:object_r:rootfs:s0 tclass=file
avc: granted { read } scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs:s0 tclass=file
avc: granted { read open } scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs:s0 tclass=file
avc: granted { search } scontext=u:r:recovery:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir

Fixes: 62619253
Test: policy builds, no more "granted" messages in dmesg for recovery.
Merged-In: I3f6d8ceee80307a01a8fd40cb4f8362a9825b1a3
Change-Id: I3f6d8ceee80307a01a8fd40cb4f8362a9825b1a3
(cherry picked from commit ea1d6e7dc253a79d666034ddb11df7bfa332b496)
---
 public/domain_deprecated.te | 10 ++++++++++
 public/recovery.te          |  2 ++
 2 files changed, 12 insertions(+)

diff --git a/public/domain_deprecated.te b/public/domain_deprecated.te
index ad84af9be..f5231fbb3 100644
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te
@@ -7,6 +7,7 @@ auditallow {
   domain_deprecated
   -appdomain
   -installd
+  -recovery
   -sdcardd
   -surfaceflinger
   -system_server
@@ -25,6 +26,7 @@ auditallow {
   -fsck
   -healthd
   -installd
+  -recovery
   -servicemanager
   -system_server
   -ueventd
@@ -36,6 +38,7 @@ auditallow {
   domain_deprecated
   -healthd
   -installd
+  -recovery
   -servicemanager
   -system_server
   -ueventd
@@ -48,6 +51,7 @@ auditallow {
   -appdomain
   -healthd
   -installd
+  -recovery
   -servicemanager
   -system_server
   -ueventd
@@ -138,17 +142,20 @@ allow domain_deprecated cache_file:lnk_file r_file_perms;
 userdebug_or_eng(`
 auditallow {
   domain_deprecated
+  -recovery
   -system_server
   -vold
 } cache_file:dir { open read search ioctl lock };
 auditallow {
   domain_deprecated
   -appdomain
+  -recovery
   -system_server
   -vold
 } cache_file:dir getattr;
 auditallow {
   domain_deprecated
+  -recovery
   -system_server
   -vold
 } cache_file:file { getattr read };
@@ -190,6 +197,7 @@ auditallow {
   -healthd
   -netd
   -rild
+  -recovery
   -system_app
   -surfaceflinger
   -system_server
@@ -203,6 +211,7 @@ auditallow {
   -healthd
   -netd
   -rild
+  -recovery
   -system_app
   -surfaceflinger
   -system_server
@@ -216,6 +225,7 @@ auditallow {
   -healthd
   -netd
   -rild
+  -recovery
   -system_app
   -surfaceflinger
   -system_server
diff --git a/public/recovery.te b/public/recovery.te
index 0f47be705..fe02a0810 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -18,6 +18,7 @@ recovery_only(`
   allow recovery self:capability2 mac_admin;
 
   # Run helpers from / or /system without changing domain.
+  r_dir_file(recovery, rootfs)
   allow recovery rootfs:file execute_no_trans;
   allow recovery system_file:file execute_no_trans;
   allow recovery toolbox_exec:file rx_file_perms;
@@ -51,6 +52,7 @@ recovery_only(`
 
   # Write to /sys/class/android_usb/android0/enable.
   # TODO: create more specific label?
+  r_dir_file(recovery, sysfs)
   allow recovery sysfs:file w_file_perms;
 
   # Write to /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq.
-- 
GitLab