Suppress denials for odsign console am: 8b80dacadc

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3085865 Change-Id: Id23bd90e60972781e25896dd2a0ee6a8195ec96e Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-05-14 17:42:34 +00:00 · 2024-05-14 17:42:34 +00:00 · c702594172
commit c702594172
parent 7575d606d5 8b80dacadc
1 changed files with 4 additions and 3 deletions
--- a/private/compos_verify.te
+++ b/private/compos_verify.te
@ -15,9 +15,10 @@ allow compos_verify apex_compos_data_file:file { rw_file_perms create };
 allow compos_verify apex_art_data_file:dir search;
 allow compos_verify apex_art_data_file:file r_file_perms;

-# Allow odsign to redirect our stdout/stderr to log
-allow compos_verify odsign:fd use;
-allow compos_verify odsign_devpts:chr_file { read write };
+# odsign runs us with its console as our stdin/stdout/stderr.
+# But we never use them; logs go to logcat. Suppress the useless denials.
+dontaudit compos_verify odsign:fd use;
+dontaudit compos_verify odsign_devpts:chr_file { read write };

 # Only odsign can enter the domain via exec
 neverallow { domain -odsign } compos_verify:process transition;