suppress logspam

avc: denied { search } for name="tmp" dev="sda13" ino=1867778 scontext=u:r:isolated_app:s0:c512,c768 tcontext=u:object_r:shell_data_file:s0 tclass=dir avc: denied { getattr } for path="/mnt/expand" dev="tmpfs" ino=9850 scontext=u:r:webview_zygote:s0 tcontext=u:object_r:mnt_expand_file:s0 tclass=dir Bug: 63631799 Test: build. Denial no longer appears in the logs Change-Id: Ie8a297c73b0f0e9008a7bf24438ef5354bf893df

suppress logspam
fc283871 · Jeff Vander Stoep · 1eff6417 · fc283871 · fc283871
Commit fc283871 authored 7 years ago by Jeff Vander Stoep
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -46,6 +46,10 @@ allow isolated_app webview_zygote:unix_dgram_socket write;
 # Read system properties managed by webview_zygote.
 allow isolated_app webview_zygote_tmpfs:file read;

+# TODO (b/63631799) fix this access
+# suppress denials to /data/local/tmp
+dontaudit isolated_app shell_data_file:dir search;
+
 #####
 ##### Neverallow
 #####

--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -43,6 +43,10 @@ allow webview_zygote system_server:process getpgid;
 # Interaction between the webview_zygote and its children.
 allow webview_zygote isolated_app:process setpgid;

+# TODO (b/63631799) fix this access
+# Suppress denials to storage. Webview zygote should not be accessing.
+dontaudit webview_zygote mnt_expand_file:dir getattr;
+
 # Get seapp_contexts
 allow webview_zygote seapp_contexts_file:file r_file_perms;
 # Check validity of SELinux context before use.