From 979adffd45914bd7b357c404437c64bb59bec51a Mon Sep 17 00:00:00 2001 From: Nick Kralevich Date: Wed, 12 Aug 2015 17:01:57 -0700 Subject: [PATCH] eliminate some anr_data_file permissions. Init is now responsible for creating /data/anr, so it's unnecessary to grant system_server and dumpstate permissions to relabel this directory. Remove the excess permissions. Leave system_data_file relabelfrom, since it's possible we're still using it somewhere. See commits: https://android-review.googlesource.com/161650 https://android-review.googlesource.com/161477 https://android-review.googlesource.com/161638 Bug: 22385254 Change-Id: I1fd226491f54d76ff51b03d4b91e7adc8d509df9 --- dumpstate.te | 3 +-- system_server.te | 5 +++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/dumpstate.te b/dumpstate.te index 584b1406f..f2aab81b4 100644 --- a/dumpstate.te +++ b/dumpstate.te @@ -24,9 +24,8 @@ allow dumpstate system_file:file execute_no_trans; # Create and write into /data/anr/ allow dumpstate self:capability { dac_override chown fowner fsetid }; -allow dumpstate anr_data_file:dir { rw_dir_perms relabelto }; +allow dumpstate anr_data_file:dir rw_dir_perms; allow dumpstate anr_data_file:file create_file_perms; -allow dumpstate system_data_file:dir { create_dir_perms relabelfrom }; # Allow reading /data/system/uiderrors.txt # TODO: scope this down. diff --git a/system_server.te b/system_server.te index 4b16d46d5..269d6ee05 100644 --- a/system_server.te +++ b/system_server.te @@ -269,9 +269,10 @@ allow system_server system_data_file:file relabelfrom; allow system_server wallpaper_file:file relabelto; allow system_server wallpaper_file:file { rw_file_perms unlink }; -# Relabel /data/anr. +# This was originally required for relabeling /data/anr, +# but should not be used anymore. TODO: remove it. allow system_server system_data_file:dir relabelfrom; -allow system_server anr_data_file:dir relabelto; +auditallow system_server system_data_file:dir relabelfrom; # Property Service write set_prop(system_server, system_prop)