From 06aee357e4bffac591ccddf4e4404b6d7bfea74b Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Mon, 26 Jun 2017 15:08:37 -0700
Subject: [PATCH] dexoptanalyzer: suppress access(2) denial

A legitimate call to access(2) is generating a denial. Use the
audit_access permission to suppress the denial on just the access()
call.

avc: denied { write } for name="verified_jars"
scontext=u:r:dexoptanalyzer:s0
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir

Bug: 62597207
Test: build policy
Test: The following cmd succeeds but no longer generates a denial
    adb shell cmd package compile -r bg-dexopt --secondary-dex \
    com.google.android.googlequicksearchbox

Change-Id: I7d03df2754c24c039bce11426bf8f317232f5e5f
(cherry picked from commit 575e6270813e4d701e824951920a359d16f0d054)
---
 private/dexoptanalyzer.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/private/dexoptanalyzer.te b/private/dexoptanalyzer.te
index db81d0dad..1c23f5727 100644
--- a/private/dexoptanalyzer.te
+++ b/private/dexoptanalyzer.te
@@ -21,6 +21,10 @@ allow dexoptanalyzer installd:fd use;
 # package manager.
 allow dexoptanalyzer app_data_file:dir { getattr search };
 allow dexoptanalyzer app_data_file:file r_file_perms;
+# dexoptanalyzer calls access(2) with W_OK flag on app data. We can use the
+# "dontaudit...audit_access" policy line to suppress the audit access without
+# suppressing denial on actual access.
+dontaudit dexoptanalyzer app_data_file:dir audit_access;
 
 # Allow testing /data/user/0 which symlinks to /data/data
 allow dexoptanalyzer system_data_file:lnk_file { getattr };