From 124c77140deb24d4ab770de28281067843712bf4 Mon Sep 17 00:00:00 2001
From: Alistair Delva <adelva@google.com>
Date: Tue, 13 Apr 2021 08:19:39 -0700
Subject: [PATCH] Suppress some su capability2 related denials

The su domain is always permissive. Operations which occur in this
domain should never be logged.

Addresses the following denials:

avc: denied { bpf } for comm="bpf_module_test" capability=39
scontext=u:r:su:s0 tcontext=u:r:su:s0 tclass=capability2 permissive=1

Bug: 185230825
Test: builds
Change-Id: Id8bd355a9636fb5e9d26ef570c2cf7e4273b08b5
---
 public/su.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/public/su.te b/public/su.te
index cefc44d6f..074ff2e5d 100644
--- a/public/su.te
+++ b/public/su.te
@@ -18,6 +18,7 @@ userdebug_or_eng(`
   vndbinder_use(su)
 
   dontaudit su self:capability_class_set *;
+  dontaudit su self:capability2 *;
   dontaudit su kernel:security *;
   dontaudit su { kernel file_type }:system *;
   dontaudit su self:memprotect *;