From 63492cd6250a0878af079a388658002f37946b11 Mon Sep 17 00:00:00 2001
From: Tom Cherry <tomcherry@google.com>
Date: Wed, 15 Nov 2017 14:57:14 -0800
Subject: [PATCH] Copy a dontaudit from init to vendor_init

Copy init's dontaudit for sysfs:dir write; to calm the below denials:

avc:  denied  { write } for  pid=542 comm="init" name="1da4000.ufshc" dev="sysfs" ino=21752 scontext=u:r:vendor_init:s0 tcontext=u:object_r:sysfs:s0 tclass=dir permissive=1
avc: denied { write } for pid=542 comm="init" name="1da4000.ufshc" dev="sysfs" ino=21752 scontext=u:r:vendor_init:s0 tcontext=u:object_r:sysfs:s0 tclass=dir permissive=1

Bug: 62875318
Test: use pixel + factory reset + vendor_init
Change-Id: I686b51c4f340b3565ea24f00516ebde846be7a89
---
 private/vendor_init.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/private/vendor_init.te b/private/vendor_init.te
index c99d96f81..5d97f7269 100644
--- a/private/vendor_init.te
+++ b/private/vendor_init.te
@@ -1,2 +1,6 @@
 typeattribute vendor_init coredomain;
 
+# Creating files on sysfs is impossible so this isn't a threat
+# Sometimes we have to write to non-existent files to avoid conditional
+# init behavior. See b/35303861 for an example.
+dontaudit vendor_init sysfs:dir write;