From a9b718a1ed91dc74ea8f231d07f27685891042e5 Mon Sep 17 00:00:00 2001
From: Tobias Thierer <tobiast@google.com>
Date: Wed, 11 Sep 2019 19:11:46 +0100
Subject: [PATCH] SEPolicy: dontaudit attempts to create marker files.

Binaries other than boringssl_self_test_exec are not allowed
to create marker files /dev/boringssl/selftest/[hash].

Right now, some processes still attempt to because:
 - Some binaries run so early during early-init that
   boringssl_self_test{32,64} hasn't had a chance to
   run yet, so the marker file doesn't exist yet, so
   the unprivileged process attempts to create it.
 - Some binaries statically link libcrypto so their
   [hash] is different from that used by
   boringssl_self_test{32,64}.

There's some ongoing work to stop those binaries even
attempting to create the marker files but it's not a
big deal if they do. Similarly, there is ongoing work
to minimize or eliminate static linking of this library.

For now, this CL turns off audit logs for this behavior
since it is harmless (a cosmetic issue) and in order to
not hold up the bulk of the logic being submitted.

Bug: 137267623
Test: Treehugger

Change-Id: I3de664c5959efd130f761764fe63515795ea9b98
---
 private/boringssl_self_test.te | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/private/boringssl_self_test.te b/private/boringssl_self_test.te
index bad0afca5..849763131 100644
--- a/private/boringssl_self_test.te
+++ b/private/boringssl_self_test.te
@@ -18,3 +18,21 @@ neverallow {
   -init
   -vendor_init
 } boringssl_self_test_marker:file no_rw_file_perms;
+
+neverallow {
+  domain
+  -boringssl_self_test
+  -init
+  -vendor_init
+} boringssl_self_test_marker:dir write;
+
+# If those other processes attempt to create the marker files
+# (which starts with :dir write), that's not a big deal.
+# Don't log about it.
+dontaudit {
+  domain
+  -boringssl_self_test
+  -init
+  -vendor_init
+} boringssl_self_test_marker:dir write;
+