From 3adb31f0041043ee3ee6688ba571a7d7bc480660 Mon Sep 17 00:00:00 2001 From: Daniel Angell Date: Fri, 1 Jul 2022 20:24:05 +0000 Subject: [PATCH] Remove dontaudit rules related to storageproxyd's /data access. Removing dontaudits for both tracking_denials/tee.te and whitechapel_pro/tee.te results in no new audit log messages related to storageproxyd, so they can both be removed. Bug: 215649571 Test: adb logcat | grep -iE 'storageproxyd' Change-Id: I8dc735bcaf0725c8d4eab4587f7a7fce21f4e25c --- tracking_denials/tee.te | 3 --- whitechapel_pro/tee.te | 4 ---- 2 files changed, 7 deletions(-) diff --git a/tracking_denials/tee.te b/tracking_denials/tee.te index 3a56e037..9a1070ab 100644 --- a/tracking_denials/tee.te +++ b/tracking_denials/tee.te @@ -1,5 +1,2 @@ # TODO(b/205904330): avoid using setuid, setgid permission allow tee tee:capability { setuid setgid }; -# b/215649571 -dontaudit tee gsi_metadata_file:dir { search }; -dontaudit tee metadata_file:dir { search }; diff --git a/whitechapel_pro/tee.te b/whitechapel_pro/tee.te index 58228b5a..f93bf59e 100644 --- a/whitechapel_pro/tee.te +++ b/whitechapel_pro/tee.te @@ -11,7 +11,3 @@ allow tee sg_device:chr_file rw_file_perms; # Allow storageproxyd access to gsi_public_metadata_file read_fstab(tee) - -# storageproxyd starts before /data is mounted. It handles /data not being there -# gracefully. However, attempts to access /data trigger a denial. -dontaudit tee unlabeled:dir { search };