Suppress denials from idmap reading installd's files.

We are occasionally seeing the following SELinux denial: avc: denied { read } for comm="idmap" path="/proc/947/mounts" scontext=u:r:idmap:s0 tcontext=u:r:installd:s0 tclass=file This commit suppresses that exact denial. We believe this is occurring when idmap is forked from installd, which is reading its mounts file in another thread. Bug: 72444813 Test: Boot Walleye and test wifi and camera. Change-Id: I3440e4b00c7e5a708b562a93b304aa726b6a3ab9

Suppress denials from idmap reading installd's files.
b050dccd · Joel Galenson · 715c3a78 · b050dccd · b050dccd
Commit b050dccd authored 7 years ago by Joel Galenson
--- a/private/bug_map
+++ b/private/bug_map
@@ -9,4 +9,3 @@ hal_graphics_allocator_default unlabeled dir 70180742
 surfaceflinger unlabeled dir 68864350
 hal_graphics_composer_default unlabeled dir 68864350
 bootanim unlabeled dir 68864350
-idmap installd file 72444813
--- a/public/idmap.te
+++ b/public/idmap.te
@@ -6,6 +6,9 @@ type idmap_exec, exec_type, file_type;
 allow idmap installd:fd use;
 allow idmap resourcecache_data_file:file { getattr read write };
+# Ignore reading /proc/<pid>/maps after a fork.
+dontaudit idmap installd:file read;
 # Open and read from target and overlay apk files passed by argument.
 allow idmap apk_data_file:file r_file_perms;
 allow idmap apk_data_file:dir search;