Remove SElinux audit to libart_file

am: 01ee59a7b4

Change-Id: I2d5889cd3faf16957ed329234ffd7b3bc6504203
This commit is contained in:
Calin Juravle 2017-02-01 00:56:37 +00:00 committed by android-build-merger
commit 2ce7f8362f
10 changed files with 3 additions and 36 deletions

View file

@ -14,9 +14,6 @@ allow appdomain zygote_tmpfs:file read;
# WebView and other application-specific JIT compilers
allow appdomain self:process execmem;
# allow access to the interpreter
allow appdomain libart_file:file { execute read open getattr };
allow appdomain ashmem_device:chr_file execute;
# Receive and use open file descriptors inherited from zygote.

View file

@ -239,8 +239,6 @@
/system/bin/storaged u:object_r:storaged_exec:s0
/system/bin/webview_zygote32 u:object_r:webview_zygote_exec:s0
/system/bin/webview_zygote64 u:object_r:webview_zygote_exec:s0
/system/fake-lib(64)?/libart.* u:object_r:libart_file:s0
/system/lib(64)?/libart.* u:object_r:libart_file:s0
/system/bin/hw/android\.hardware\.audio@2\.0-service u:object_r:hal_audio_default_exec:s0
/system/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
/system/bin/hw/android\.hardware\.bluetooth@1\.0-service u:object_r:hal_bluetooth_default_exec:s0

View file

@ -40,8 +40,6 @@ allow zygote dalvikcache_data_file:lnk_file create_file_perms;
allow zygote resourcecache_data_file:dir rw_dir_perms;
allow zygote resourcecache_data_file:file create_file_perms;
# For art.
allow zygote libart_file:file { execute read open getattr };
# When WITH_DEXPREOPT is true, the zygote does not load executable content from
# /data/dalvik-cache.
allow { zygote with_dexpreopt(`-zygote') } dalvikcache_data_file:file execute;

View file

@ -24,9 +24,6 @@ allow crash_dump exec_type:file r_file_perms;
allow crash_dump dalvikcache_data_file:dir { search getattr };
allow crash_dump dalvikcache_data_file:file r_file_perms;
# Unwind through libart.
allow crash_dump libart_file:file r_file_perms;
# Talk to tombstoned
unix_socket_connect(crash_dump, tombstoned_crash, tombstoned)

View file

@ -6,9 +6,6 @@ r_dir_file(dex2oat, {apk_data_file ephemeral_apk_data_file})
allow dex2oat tmpfs:file { read getattr };
# allow access to the interpreter
allow dex2oat libart_file:file { execute read open getattr };
r_dir_file(dex2oat, dalvikcache_data_file)
allow dex2oat dalvikcache_data_file:file write;
# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot images, where

View file

@ -94,21 +94,6 @@ allow domain system_file:dir { search getattr };
allow domain system_file:file { execute read open getattr };
allow domain system_file:lnk_file read;
# Initially grant all domains access to libart.
# TODO move to a whitelist. b/29795519
allow domain libart_file:file { execute read open getattr };
auditallow {
domain
-appdomain
-crash_dump
-dex2oat
-dumpstate
-profman
-recovery
-webview_zygote
-zygote
} libart_file:file { execute read open getattr };
# read any sysfs symlinks
allow domain sysfs:lnk_file read;
@ -308,7 +293,7 @@ neverallow {
-system_server
-webview_zygote
-zygote
} { file_type -libart_file -system_file -exec_type -postinstall_file }:file execute;
} { file_type -system_file -exec_type -postinstall_file }:file execute;
neverallow {
domain
-appdomain # for oemfs

View file

@ -114,7 +114,6 @@ allow dumpstate zygote_exec:file rx_file_perms;
allow dumpstate ashmem_device:chr_file execute;
allow dumpstate self:process execmem;
# For art.
allow dumpstate libart_file:file { r_file_perms execute };
allow dumpstate dalvikcache_data_file:dir { search getattr };
allow dumpstate dalvikcache_data_file:file { r_file_perms execute };
allow dumpstate dalvikcache_data_file:lnk_file r_file_perms;

View file

@ -78,8 +78,6 @@ type unlabeled, file_type;
type system_file, file_type;
# Speedup access for trusted applications to the runtime event tags
type runtime_event_log_tags_file, file_type;
# Type for /system/*/libart*
type libart_file, file_type;
# Type for /system/bin/logcat.
type logcat_exec, exec_type, file_type;
# /cores for coredumps on userdebug / eng builds

View file

@ -2,8 +2,6 @@
type profman, domain;
type profman_exec, exec_type, file_type;
allow profman libart_file:file r_file_perms;
allow profman user_profile_data_file:file { getattr read write lock };
# Dumping profile info opens the application APK file for pretty printing.

View file

@ -28,7 +28,7 @@ recovery_only(`
# Create and relabel files and directories under /system.
allow recovery exec_type:{ file lnk_file } { create_file_perms relabelfrom relabelto };
allow recovery { system_file libart_file }:{ file lnk_file } { create_file_perms relabelfrom relabelto };
allow recovery { system_file }:{ file lnk_file } { create_file_perms relabelfrom relabelto };
allow recovery system_file:dir { create_dir_perms relabelfrom relabelto };
# We may be asked to set an SELinux label for a type not known to the