Remove SElinux audit to libart_file

am: 01ee59a7b4 Change-Id: I2d5889cd3faf16957ed329234ffd7b3bc6504203
2017-02-01 00:56:37 +00:00 · 2017-02-01 00:56:37 +00:00 · 2ce7f8362f
commit 2ce7f8362f
parent e9f4b5998c 01ee59a7b4
10 changed files with 3 additions and 36 deletions
--- a/private/app.te
+++ b/private/app.te
@ -14,9 +14,6 @@ allow appdomain zygote_tmpfs:file read;
 # WebView and other application-specific JIT compilers
 allow appdomain self:process execmem;

-# allow access to the interpreter
-allow appdomain libart_file:file { execute read open getattr };
-
 allow appdomain ashmem_device:chr_file execute;

 # Receive and use open file descriptors inherited from zygote.
--- a/private/file_contexts
+++ b/private/file_contexts
@ -239,8 +239,6 @@
 /system/bin/storaged             u:object_r:storaged_exec:s0
 /system/bin/webview_zygote32     u:object_r:webview_zygote_exec:s0
 /system/bin/webview_zygote64     u:object_r:webview_zygote_exec:s0
-/system/fake-lib(64)?/libart.*   u:object_r:libart_file:s0
-/system/lib(64)?/libart.*        u:object_r:libart_file:s0
 /system/bin/hw/android\.hardware\.audio@2\.0-service          u:object_r:hal_audio_default_exec:s0
 /system/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
 /system/bin/hw/android\.hardware\.bluetooth@1\.0-service      u:object_r:hal_bluetooth_default_exec:s0
--- a/private/zygote.te
+++ b/private/zygote.te
@ -40,8 +40,6 @@ allow zygote dalvikcache_data_file:lnk_file create_file_perms;
 allow zygote resourcecache_data_file:dir rw_dir_perms;
 allow zygote resourcecache_data_file:file create_file_perms;

-# For art.
-allow zygote libart_file:file { execute read open getattr };
 # When WITH_DEXPREOPT is true, the zygote does not load executable content from
 # /data/dalvik-cache.
 allow { zygote with_dexpreopt(`-zygote') } dalvikcache_data_file:file execute;
--- a/public/crash_dump.te
+++ b/public/crash_dump.te
@ -24,9 +24,6 @@ allow crash_dump exec_type:file r_file_perms;
 allow crash_dump dalvikcache_data_file:dir { search getattr };
 allow crash_dump dalvikcache_data_file:file r_file_perms;

-# Unwind through libart.
-allow crash_dump libart_file:file r_file_perms;
-
 # Talk to tombstoned
 unix_socket_connect(crash_dump, tombstoned_crash, tombstoned)

--- a/public/dex2oat.te
+++ b/public/dex2oat.te
@ -6,9 +6,6 @@ r_dir_file(dex2oat, {apk_data_file ephemeral_apk_data_file})

 allow dex2oat tmpfs:file { read getattr };

-# allow access to the interpreter
-allow dex2oat libart_file:file { execute read open getattr };
-
 r_dir_file(dex2oat, dalvikcache_data_file)
 allow dex2oat dalvikcache_data_file:file write;
 # Read symlinks in /data/dalvik-cache. This is required for PIC mode boot images, where
--- a/public/domain.te
+++ b/public/domain.te
@ -94,21 +94,6 @@ allow domain system_file:dir { search getattr };
 allow domain system_file:file { execute read open getattr };
 allow domain system_file:lnk_file read;

-# Initially grant all domains access to libart.
-# TODO move to a whitelist. b/29795519
-allow domain libart_file:file { execute read open getattr };
-auditallow {
-  domain
-  -appdomain
-  -crash_dump
-  -dex2oat
-  -dumpstate
-  -profman
-  -recovery
-  -webview_zygote
-  -zygote
-} libart_file:file { execute read open getattr };
-
 # read any sysfs symlinks
 allow domain sysfs:lnk_file read;

@ -308,7 +293,7 @@ neverallow {
    -system_server
    -webview_zygote
    -zygote
-} { file_type -libart_file -system_file -exec_type -postinstall_file }:file execute;
+} { file_type -system_file -exec_type -postinstall_file }:file execute;
 neverallow {
    domain
    -appdomain # for oemfs
@ -640,7 +625,7 @@ neverallow * ~servicemanager:service_manager list;
 # TODO - rework this: neverallow * ~service_manager_type:service_manager { add find };

 # Prevent assigning non property types to properties
-# TODO - rework this: neverallow * ~property_type:property_service set; 
+# TODO - rework this: neverallow * ~property_type:property_service set;

 # Domain types should never be assigned to any files other
 # than the /proc/pid files associated with a process. The
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@ -114,7 +114,6 @@ allow dumpstate zygote_exec:file rx_file_perms;
 allow dumpstate ashmem_device:chr_file execute;
 allow dumpstate self:process execmem;
 # For art.
-allow dumpstate libart_file:file { r_file_perms execute };
 allow dumpstate dalvikcache_data_file:dir { search getattr };
 allow dumpstate dalvikcache_data_file:file { r_file_perms execute };
 allow dumpstate dalvikcache_data_file:lnk_file r_file_perms;
--- a/public/file.te
+++ b/public/file.te
@ -78,8 +78,6 @@ type unlabeled, file_type;
 type system_file, file_type;
 # Speedup access for trusted applications to the runtime event tags
 type runtime_event_log_tags_file, file_type;
-# Type for /system/*/libart*
-type libart_file, file_type;
 # Type for /system/bin/logcat.
 type logcat_exec, exec_type, file_type;
 # /cores for coredumps on userdebug / eng builds
--- a/public/profman.te
+++ b/public/profman.te
@ -2,8 +2,6 @@
 type profman, domain;
 type profman_exec, exec_type, file_type;

-allow profman libart_file:file r_file_perms;
-
 allow profman user_profile_data_file:file { getattr read write lock };

 # Dumping profile info opens the application APK file for pretty printing.
--- a/public/recovery.te
+++ b/public/recovery.te
@ -28,7 +28,7 @@ recovery_only(`

  # Create and relabel files and directories under /system.
  allow recovery exec_type:{ file lnk_file } { create_file_perms relabelfrom relabelto };
-  allow recovery { system_file libart_file }:{ file lnk_file } { create_file_perms relabelfrom relabelto };
+  allow recovery { system_file }:{ file lnk_file } { create_file_perms relabelfrom relabelto };
  allow recovery system_file:dir { create_dir_perms relabelfrom relabelto };

  # We may be asked to set an SELinux label for a type not known to the