Suppress denials from idmap reading installd's files.

We are occasionally seeing the following SELinux denial:

avc: denied { read } for comm="idmap" path="/proc/947/mounts" scontext=u:r:idmap:s0 tcontext=u:r:installd:s0 tclass=file

This commit suppresses that exact denial.

We believe this is occurring when idmap is forked from installd, which is reading its mounts file in another thread.

Bug: 72444813
Test: Boot Walleye and test wifi and camera.
Change-Id: I3440e4b00c7e5a708b562a93b304aa726b6a3ab9

2 files changed, 3 insertions, 1 deletions

diff --git a/private/bug_map b/private/bug_map
index 6bc55e5b..2b970dd6 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -9,4 +9,3 @@ hal_graphics_allocator_default unlabeled dir 70180742
 surfaceflinger unlabeled dir 68864350
 hal_graphics_composer_default unlabeled dir 68864350
 bootanim unlabeled dir 68864350
-idmap installd file 72444813
diff --git a/public/idmap.te b/public/idmap.te
index 1c32f8fd..3f336a32 100644
--- a/public/idmap.te
+++ b/public/idmap.te
@@ -6,6 +6,9 @@ type idmap_exec, exec_type, file_type;
 allow idmap installd:fd use;
 allow idmap resourcecache_data_file:file { getattr read write };
 
+# Ignore reading /proc/<pid>/maps after a fork.
+dontaudit idmap installd:file read;
+
 # Open and read from target and overlay apk files passed by argument.
 allow idmap apk_data_file:file r_file_perms;
 allow idmap apk_data_file:dir search;