From e0d5c5323dcbf0a3db90bb4b8dca603918d4449b Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Tue, 15 Nov 2016 13:16:27 -0800
Subject: [PATCH] exclude su from app auditallow

su is an appdomain, and as such, any auditallow statements applicable to
appdomain also apply to su. However, su is never enforced, so generating
SELinux denials for such domains is pointless. Exclude su from
ion_device auditallow rules.

Addresses the following auditallow spam:

  avc: granted { ioctl } for comm="screencap" path="/dev/ion" dev="tmpfs"
  ino=10230 ioctlcmd=4906 scontext=u:r:su:s0
  tcontext=u:object_r:ion_device:s0 tclass=chr_file

Test: policy compiles
Change-Id: I2e783624b9e53ad365669bd6f2d4db40da475a16
---
 public/app.te | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/public/app.te b/public/app.te
index a443bbce0..6cb3382cc 100644
--- a/public/app.te
+++ b/public/app.te
@@ -239,9 +239,9 @@ allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket }
 
 allow { appdomain -isolated_app } ion_device:chr_file rw_file_perms;
 # TODO is write really necessary ?
-auditallow appdomain ion_device:chr_file { write append };
+auditallow { appdomain userdebug_or_eng(`-su') } ion_device:chr_file { write append };
 # TODO audit ion ioctl usage by apps
-auditallow appdomain ion_device:chr_file ioctl;
+auditallow { appdomain userdebug_or_eng(`-su') } ion_device:chr_file ioctl;
 
 allow { appdomain -isolated_app } hal_graphics_allocator:fd use;
 
-- 
GitLab