Merge "Installd doesn't need to create cgroup files." into pi-dev

private/init.te

@@ -20,13 +20,3 @@ domain_trans(init, { rootfs toolbox_exec }, modprobe)
 userdebug_or_eng(`
   domain_auto_trans(init, logcat_exec, logpersist)
 ')
-
-# Creating files on sysfs is impossible so this isn't a threat
-# Sometimes we have to write to non-existent files to avoid conditional
-# init behavior. See b/35303861 for an example.
-dontaudit init sysfs:dir write;
-
-# Suppress false positives when using O_CREAT
-# to open a file that already exists.
-# There's a neverallow rule for this in domain.te
-dontaudit init cgroup:file create;

private/zygote.te

@@ -134,8 +134,3 @@ neverallow zygote {
 
 # Do not allow access to Bluetooth-related system properties and files
 neverallow zygote bluetooth_prop:file create_file_perms;
-
-# Suppress false positives when using O_CREAT
-# to open a file that already exists.
-# There's a neverallow rule for this in domain.te
-dontaudit zygote cgroup:file create;

public/domain.te

@@ -1329,23 +1329,23 @@ neverallow {
 } self:capability dac_override;
 neverallow { domain -traced_probes } self:capability dac_read_search;
 
-# If an already existing file is opened with O_CREATE, the kernel might generate
+# If an already existing file is opened with O_CREAT, the kernel might generate
 # a false report of a create denial. Silence these denials and make sure that
 # inappropriate permissions are not granted.
+
+# These filesystems don't allow files or directories to be created, so the permission
+# to do so should never be granted.
 neverallow domain {
   proc_type
   sysfs_type
 }:dir { add_name create link remove_name rename reparent rmdir write };
 
-# cgroupfs directories can be created, but not files within them
+# cgroupfs directories can be created, but not files within them.
-# TODO(b/74182216): Remove the installd allow when we're sure it's not used
+neverallow domain cgroup:file create;
-neverallow {
-  domain
-  -installd
-} cgroup:file create;
 
 dontaudit domain proc_type:dir write;
 dontaudit domain sysfs_type:dir write;
+dontaudit domain cgroup:file create;
 
 # These are only needed in permissive mode - in enforcing mode the
 # directory write check fails and so these are never attempted.

public/init.te

@@ -326,11 +326,6 @@ allow init {
 # Allow init to write to vibrator/trigger
 allow init sysfs_vibrator:file w_file_perms;
 
-# Creating files on sysfs is impossible so this isn't a threat.
-# We may write to a non-existent file to avoid conditional
-# init behavior.
-dontaudit init sysfs_vibrator:dir write;
-
 # init chmod/chown access to /sys files.
 allow init {
   sysfs_android_usb

public/installd.te

@@ -19,7 +19,6 @@ allow installd apk_tmp_file:dir { relabelfrom create_dir_perms };
 allow installd oemfs:dir r_dir_perms;
 allow installd oemfs:file r_file_perms;
 allow installd cgroup:dir create_dir_perms;
-allow installd cgroup:{ file lnk_file } create_file_perms;
 allow installd mnt_expand_file:dir { search getattr };
 # Check validity of SELinux context before use.
 selinux_check_context(installd)