From d5678c11de4de8d051bebcfdc6cdff64b23d1e1e Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Fri, 20 Oct 2017 12:32:41 -0700
Subject: [PATCH] Dumpstate: cleanup denial logspam

Dumpstate lists all services and then enumerates over them. Suppress
"find" denials for services which dumpstate is neverallowed access
to.

Dumpstate includes the kernel command line in bug reports. Grant access
to /proc/cmdline.

Test: build. Run adb bugreport.
Change-Id: I89b546c728a034638f9257c6cf93366d99a10762
---
 public/dumpstate.te | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/public/dumpstate.te b/public/dumpstate.te
index 42d929049..a814f16ba 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -151,6 +151,7 @@ control_logd(dumpstate)
 read_runtime_log_tags(dumpstate)
 
 # Read files in /proc
+allow dumpstate proc_cmdline:file r_file_perms;
 allow dumpstate proc_meminfo:file r_file_perms;
 allow dumpstate proc_net:file r_file_perms;
 allow dumpstate proc_pagetypeinfo:file r_file_perms;
@@ -198,6 +199,16 @@ allow dumpstate {
   -vold_service
   -vr_hwc_service
 }:service_manager find;
+# suppress denials for services dumpstate should not be accessing.
+dontaudit dumpstate {
+  dumpstate_service
+  gatekeeper_service
+  incident_service
+  virtual_touchpad_service
+  vold_service
+  vr_hwc_service
+}:service_manager find;
+
 allow dumpstate servicemanager:service_manager list;
 allow dumpstate hwservicemanager:hwservice_manager list;
 
-- 
GitLab