tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Supress permissive audit messages post OTA reboot

Browse source 
For post-OTA boot, we run a userspace block device daemon to mount /system.
However if we let the daemon run while loading sepolicy, it would spam permissive audits.
Since sepolicy is still not enforced yet, we can supress these
audit messages.

Bug: 240321741
Test: Full OTA on pixel
Signed-off-by: Akilesh Kailash <akailash@google.com>
Change-Id: I0af484f95b6a1deb41498d67de82afd3c6bb29b6
This commit is contained in:
Akilesh Kailash 2022-07-26 21:26:01 +00:00
parent 24b66bcf11
commit 1044702704
2 changed files with 26 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
prebuilts/api/33.0/private/kernel.te
View file

@ -32,6 +32,19 @@ allow kernel snapuserd_exec:file relabelto;
allow kernel kmsg_device:chr_file write; allow kernel kmsg_device:chr_file write;
allow kernel gsid:fd use; allow kernel gsid:fd use;
dontaudit kernel metadata_file:dir search;
dontaudit kernel ota_metadata_file:dir rw_dir_perms;
dontaudit kernel sysfs:dir r_dir_perms;
dontaudit kernel sysfs:file { open read write };
dontaudit kernel sysfs:chr_file { open read write };
dontaudit kernel dm_device:chr_file ioctl;
dontaudit kernel self:capability { sys_admin setgid mknod };
dontaudit kernel dm_user_device:dir { write add_name };
dontaudit kernel dm_user_device:chr_file { create setattr };
dontaudit kernel tmpfs:lnk_file read;
dontaudit kernel tmpfs:blk_file { open read };
# Some contexts are changed before the device is flipped into enforcing mode # Some contexts are changed before the device is flipped into enforcing mode
# during the setup of Apex sepolicy. These denials can be suppressed since # during the setup of Apex sepolicy. These denials can be suppressed since
# the permissions should not be allowed after the device is flipped into # the permissions should not be allowed after the device is flipped into

13
private/kernel.te
View file

@ -32,6 +32,19 @@ allow kernel snapuserd_exec:file relabelto;
allow kernel kmsg_device:chr_file write; allow kernel kmsg_device:chr_file write;
allow kernel gsid:fd use; allow kernel gsid:fd use;
dontaudit kernel metadata_file:dir search;
dontaudit kernel ota_metadata_file:dir rw_dir_perms;
dontaudit kernel sysfs:dir r_dir_perms;
dontaudit kernel sysfs:file { open read write };
dontaudit kernel sysfs:chr_file { open read write };
dontaudit kernel dm_device:chr_file ioctl;
dontaudit kernel self:capability { sys_admin setgid mknod };
dontaudit kernel dm_user_device:dir { write add_name };
dontaudit kernel dm_user_device:chr_file { create setattr };
dontaudit kernel tmpfs:lnk_file read;
dontaudit kernel tmpfs:blk_file { open read };
# Some contexts are changed before the device is flipped into enforcing mode # Some contexts are changed before the device is flipped into enforcing mode
# during the setup of Apex sepolicy. These denials can be suppressed since # during the setup of Apex sepolicy. These denials can be suppressed since
# the permissions should not be allowed after the device is flipped into # the permissions should not be allowed after the device is flipped into