Hide sys_rawio SELinux denials.

We often see the following denials: avc: denied { sys_rawio } for comm="update_engine" capability=17 scontext=u:r:update_engine:s0 tcontext=u:r:update_engine:s0 tclass=capability permissive=0 avc: denied { sys_rawio } for comm="boot@1.0-servic" capability=17 scontext=u:r:hal_bootctl_default:s0 tcontext=u:r:hal_bootctl_default:s0 tclass=capability permissive=0 These are benign, so we are hiding them. Bug: 37778617 Test: Boot device. Change-Id: Iac196653933d79aa9cdeef7670076f0efc97b44a
2018-04-10 10:46:45 -07:00 · 2018-04-10 10:46:45 -07:00 · bf4afae140
commit bf4afae140
parent d4dd2f5710
2 changed files with 3 additions and 0 deletions
--- a/public/hal_bootctl.te
+++ b/public/hal_bootctl.te
@ -4,3 +4,5 @@ binder_call(hal_bootctl_server, hal_bootctl_client)

 add_hwservice(hal_bootctl_server, hal_bootctl_hwservice)
 allow hal_bootctl_client hal_bootctl_hwservice:hwservice_manager find;
+
+dontaudit hal_bootctl self:capability sys_rawio;
--- a/public/update_engine.te
+++ b/public/update_engine.te
@ -19,6 +19,7 @@ wakelock_use(update_engine);

 # Ignore these denials.
 dontaudit update_engine kernel:process setsched;
+dontaudit update_engine self:capability sys_rawio;

 # Allow using persistent storage in /data/misc/update_engine.
 allow update_engine update_engine_data_file:dir create_dir_perms;