dontaudit perfd self:capability kill; perfd sends a kill(PID, 0) (a "null" kill) to determine if a process exists. A process exists if the kill succeeds, or it returns with errno=EPERM. A process doesn't exist if the kill fails with errno=ESRCH. In either case, CAP_KILL is not needed to get this information. Suppress the SELinux denials. Change-Id: I177d432d96de938be6acf9076352d9df18e6308a

commit: bd2ed2a55924c1a443116a4051bbba209fdf4d3e [log] [tgz]
author: Nick Kralevich <nnk@google.com> Tue Dec 01 18:05:32 2015 -0800
committer: Nick Kralevich <nnk@google.com> Tue Dec 01 18:05:32 2015 -0800
tree: ad7f1633aadf653b832d8116a8f53fa50d1ad5db
parent: 3c05e61732377cb1df40794f3326abcf3605b8cf [diff]
diff --git a/sepolicy/perfd.te b/sepolicy/perfd.te
index f25a37b..446cf04 100644
--- a/sepolicy/perfd.te
+++ b/sepolicy/perfd.te

@@ -15,3 +15,8 @@
 allow perfd sysfs_thermal:file rw_file_perms;
 
 allow perfd sysfs_power_management:file w_file_perms;
+
+# perfd uses kill(pid, 0) to determine if a process exists.
+# Determining if a process exists does not require the kill capability
+# since a permission denied indicates the process exists.
+dontaudit perfd self:capability kill;
commit	bd2ed2a55924c1a443116a4051bbba209fdf4d3e	[log] [tgz]
author	Nick Kralevich <nnk@google.com>	Tue Dec 01 18:05:32 2015 -0800
committer	Nick Kralevich <nnk@google.com>	Tue Dec 01 18:05:32 2015 -0800
tree	ad7f1633aadf653b832d8116a8f53fa50d1ad5db
parent	3c05e61732377cb1df40794f3326abcf3605b8cf [diff]