From 665091f37dbe128caa4089d6f1f200e09818c3fa Mon Sep 17 00:00:00 2001
From: rsuntk <rsuntk@yukiprjkt.my.id>
Date: Fri, 15 Aug 2025 14:55:34 +0700
Subject: [PATCH] kernel: selinux: dontaudit untrusted_app su dir { getattr }

* Following the advice that was given by member in rksu group, by replacing ALL to untrusted_app.

$ /system/bin/stat /proc/1
Result:
08-15 14:57:54.370 20062 20062 W stat    : type=1400 audit(0.0:9564): avc:  denied  { getattr } for  path="/proc/1" dev="proc" ino=12308 scontext=u:r:untrusted_app_27:s0:c27,c258,c512,c768 tcontext=u:r:init:s0 tclass=dir permissive=0 app=com.termux
(issue
https://github.com/rsuntk/KernelSU/commit/438bd5fd6dac74ba63ef627124f0d2f552b1cb31#commitcomment-163785768)

Test: Checker pass.

* Any issue? Let me know.

Tested-by: rsuntk <rsuntk@yukiprjkt.my.id>
Signed-off-by: rsuntk <rsuntk@yukiprjkt.my.id>
---
 kernel/selinux/rules.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/kernel/selinux/rules.c b/kernel/selinux/rules.c
index 230b2fc7..1b56fab6 100644
--- a/kernel/selinux/rules.c
+++ b/kernel/selinux/rules.c
@@ -46,7 +46,7 @@ void apply_kernelsu_rules()
 	}
 
 	mutex_lock(&ksu_rules);
-	
+
 	db = get_policydb();
 
 	ksu_permissive(db, KERNEL_SU_DOMAIN);
@@ -139,6 +139,9 @@ void apply_kernelsu_rules()
 	ksu_allow(db, "system_server", KERNEL_SU_DOMAIN, "process", "getpgid");
 	ksu_allow(db, "system_server", KERNEL_SU_DOMAIN, "process", "sigkill");
 
+	// https://android-review.googlesource.com/c/platform/system/logging/+/3725346
+	ksu_dontaudit(db, "untrusted_app", KERNEL_SU_DOMAIN, "dir", "getattr");
+
 	mutex_unlock(&ksu_rules);
 }