Suppress noisy performanced denials in permissive mode.

The sheer volume of these can cause confusion. Sample denials (repeated for many processes): denied { getattr } for path="/proc/1/status" dev="proc" ino=24427 scontext=u:r:performanced:s0 tcontext=u:r:init:s0 tclass=file permissive=1 denied { open } for path="/proc/1" dev="proc" ino=18608 scontext=u:r:performanced:s0 tcontext=u:r:init:s0 tclass=dir permissive=1 denied { open } for path="/proc/1/status" dev="proc" ino=24427 scontext=u:r:performanced:s0 tcontext=u:r:init:s0 tclass=file permissive=1 denied { read } for name="status" dev="proc" ino=24427 scontext=u:r:performanced:s0 tcontext=u:r:init:s0 tclass=file permissive=1 Bug: 72643420 Test: Denials no longer present in permissive mode. Change-Id: Ic07b9b0b59ca2122c4843095b63075ab8fd2c70b

Suppress noisy performanced denials in permissive mode.
cf71a5ae · Alan Stokes · f98cd4fa · cf71a5ae
Commit cf71a5ae authored 7 years ago by Alan Stokes
--- a/public/performanced.te
+++ b/public/performanced.te
@@ -19,5 +19,12 @@ r_dir_file(performanced, { appdomain bufferhubd kernel surfaceflinger })
 dontaudit performanced domain:dir read;
 allow performanced { appdomain bufferhubd kernel surfaceflinger }:process setsched;
+# These /proc accesses only show up in permissive mode but they
+# generate a lot of noise in the log.
+userdebug_or_eng(`
+  dontaudit performanced domain:dir open;
+  dontaudit performanced domain:file { open read getattr };
+')
 # Access /dev/cpuset/cpuset.cpus
 r_dir_file(performanced, cgroup)