Suppress some su capability2 related denials

The su domain is always permissive. Operations which occur in this domain should never be logged. Addresses the following denials: avc: denied { bpf } for comm="bpf_module_test" capability=39 scontext=u:r:su:s0 tcontext=u:r:su:s0 tclass=capability2 permissive=1 Bug: 185230825 Test: builds Change-Id: Id8bd355a9636fb5e9d26ef570c2cf7e4273b08b5
2021-04-13 08:19:39 -07:00 · 2021-04-13 08:19:39 -07:00 · 124c77140d
commit 124c77140d
parent 4ea9b0b9df
1 changed files with 1 additions and 0 deletions
--- a/public/su.te
+++ b/public/su.te
@ -18,6 +18,7 @@ userdebug_or_eng(`
  vndbinder_use(su)

  dontaudit su self:capability_class_set *;
+  dontaudit su self:capability2 *;
  dontaudit su kernel:security *;
  dontaudit su { kernel file_type }:system *;
  dontaudit su self:memprotect *;