From f7ec413844ad691c0c4863de4cc7a0719b12dc8e Mon Sep 17 00:00:00 2001
From: Joel Galenson <jgalenson@google.com>
Date: Wed, 14 Feb 2018 16:32:28 -0800
Subject: [PATCH] Dontaudit denials caused by race with labeling.

These denials seem to be caused by a race with the process that labels
the files.  While we work on fixing them, hide the denials.

Bug: 68864350
Bug: 70180742
Test: Built policy.
Change-Id: I58a32e38e6384ca55e865e9575dcfe7c46b2ed3c
---
 private/bootanim.te                      | 3 +++
 private/bug_map                          | 4 ----
 private/surfaceflinger.te                | 3 +++
 vendor/hal_graphics_allocator_default.te | 3 +++
 vendor/hal_graphics_composer_default.te  | 3 +++
 5 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/private/bootanim.te b/private/bootanim.te
index 8c9f6c76e..20ff1934b 100644
--- a/private/bootanim.te
+++ b/private/bootanim.te
@@ -1,3 +1,6 @@
 typeattribute bootanim coredomain;
 
 init_daemon_domain(bootanim)
+
+# b/68864350
+dontaudit bootanim unlabeled:dir search;
diff --git a/private/bug_map b/private/bug_map
index fe61dcc15..4ac582e46 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -1,16 +1,12 @@
-bootanim unlabeled dir 68864350
 crash_dump app_data_file dir 68319037
 crash_dump bluetooth_data_file dir 68319037
 crash_dump resourcecache_data_file dir 68319037
 crash_dump system_data_file file 68319037
 crash_dump vendor_overlay_file dir 68319037
 hal_fingerprint_default system_data_file dir 73068008
-hal_graphics_allocator_default unlabeled dir 70180742
-hal_graphics_composer_default unlabeled dir 68864350
 priv_app sysfs dir 72749888
 priv_app sysfs_android_usb file 72749888
 priv_app system_data_file dir 72811052
-surfaceflinger unlabeled dir 68864350
 system_server crash_dump process 73128755
 system_server vendor_framework_file dir 68826235
 untrusted_app_25 system_data_file dir 72550646
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 694bb2fad..e64b8de2c 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -115,3 +115,6 @@ pdx_client(surfaceflinger, performance_client)
 # Do not allow accessing SDcard files as unsafe ejection could
 # cause the kernel to kill the process.
 neverallow surfaceflinger sdcard_type:file rw_file_perms;
+
+# b/68864350
+dontaudit surfaceflinger unlabeled:dir search;
diff --git a/vendor/hal_graphics_allocator_default.te b/vendor/hal_graphics_allocator_default.te
index 5afa2b520..3d97ed04c 100644
--- a/vendor/hal_graphics_allocator_default.te
+++ b/vendor/hal_graphics_allocator_default.te
@@ -3,3 +3,6 @@ hal_server_domain(hal_graphics_allocator_default, hal_graphics_allocator)
 
 type hal_graphics_allocator_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_graphics_allocator_default)
+
+# b/70180742
+dontaudit hal_graphics_allocator_default unlabeled:dir search;
diff --git a/vendor/hal_graphics_composer_default.te b/vendor/hal_graphics_composer_default.te
index 47343d9ec..72d781db2 100644
--- a/vendor/hal_graphics_composer_default.te
+++ b/vendor/hal_graphics_composer_default.te
@@ -3,3 +3,6 @@ hal_server_domain(hal_graphics_composer_default, hal_graphics_composer)
 
 type hal_graphics_composer_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_graphics_composer_default)
+
+# b/68864350
+dontaudit hal_graphics_composer_default unlabeled:dir search;
-- 
GitLab