platform_system_sepolicy/public/domain_deprecated.te
Nick Kralevich f2de07529b domain_deprecated.te: delete stale permissions
auditallows have been in place for quite a while now, and nothing has
triggered. Let's do some cleanup!

Bug: 28760354
Test: device boots and no new denials
Test: SELinux denials collection has seen no instances of these
      permissions
Change-Id: I9293f8d8756c9db6307e344c32cd11b9e0183e7f
2016-11-20 08:34:02 -08:00

149 lines
7 KiB
Text

# rules removed from the domain attribute
# Search /storage/emulated tmpfs mount.
allow domain_deprecated tmpfs:dir r_dir_perms;
auditallow { domain_deprecated -appdomain -init -sdcardd -surfaceflinger -system_server -vold -zygote } tmpfs:dir r_dir_perms;
# Inherit or receive open files from others.
allow domain_deprecated system_server:fd use;
auditallow { domain_deprecated -appdomain -netd -surfaceflinger } system_server:fd use;
# Connect to adbd and use a socket transferred from it.
# This is used for e.g. adb backup/restore.
allow domain_deprecated adbd:fd use;
auditallow { domain_deprecated -appdomain -system_server } adbd:fd use;
# Root fs.
allow domain_deprecated rootfs:dir r_dir_perms;
allow domain_deprecated rootfs:file r_file_perms;
allow domain_deprecated rootfs:lnk_file r_file_perms;
auditallow { domain_deprecated -healthd -init -installd -priv_app -servicemanager -system_server -ueventd -uncrypt -vold -zygote } rootfs:dir { open getattr read ioctl lock }; # search granted in domain
auditallow { domain_deprecated -healthd -init -installd -priv_app -servicemanager -system_server -ueventd -uncrypt -vold -zygote } rootfs:file r_file_perms;
auditallow { domain_deprecated -appdomain -healthd -init -installd -priv_app -servicemanager -system_server -ueventd -uncrypt -vold -zygote } rootfs:lnk_file { getattr open ioctl lock }; # read granted in domain
# System file accesses.
allow domain_deprecated system_file:dir r_dir_perms;
allow domain_deprecated system_file:file r_file_perms;
auditallow {
domain_deprecated
-appdomain
-init
-installd
-rild
-surfaceflinger
-system_server
-zygote
} system_file:dir { open read ioctl lock }; # search getattr in domain
auditallow {
domain_deprecated
-appdomain
-init
-rild
-surfaceflinger
-system_server
-zygote
} system_file:file { ioctl lock }; # read open getattr in domain
# Read files already opened under /data.
allow domain_deprecated system_data_file:file { getattr read };
allow domain_deprecated system_data_file:lnk_file r_file_perms;
auditallow { domain_deprecated -appdomain -init -sdcardd -system_server -tee } system_data_file:file { getattr read };
auditallow { domain_deprecated -appdomain -init -system_server -tee } system_data_file:lnk_file r_file_perms;
# Read apk files under /data/app.
allow domain_deprecated apk_data_file:dir { getattr search };
allow domain_deprecated apk_data_file:file r_file_perms;
allow domain_deprecated apk_data_file:lnk_file r_file_perms;
auditallow { domain_deprecated -appdomain -dex2oat -init -installd -system_server } apk_data_file:dir { getattr search };
auditallow { domain_deprecated -appdomain -dex2oat -installd -system_server } apk_data_file:file r_file_perms;
auditallow { domain_deprecated -appdomain -dex2oat -installd -system_server } apk_data_file:lnk_file r_file_perms;
# Read already opened /cache files.
allow domain_deprecated cache_file:dir r_dir_perms;
allow domain_deprecated cache_file:file { getattr read };
allow domain_deprecated cache_file:lnk_file r_file_perms;
auditallow { domain_deprecated -init -priv_app -system_server -vold } cache_file:dir { open read search ioctl lock };
auditallow { domain_deprecated -appdomain -init -priv_app -system_server -vold } cache_file:dir getattr;
auditallow { domain_deprecated -init -priv_app -system_server -vold } cache_file:file { getattr read };
auditallow { domain_deprecated -init -system_server -vold } cache_file:lnk_file r_file_perms;
#Allow access to ion memory allocation device
allow domain_deprecated ion_device:chr_file rw_file_perms;
# split this auditallow into read and write perms since most domains seem to
# only require read
auditallow { domain_deprecated -appdomain -fingerprintd -keystore -surfaceflinger -system_server -tee -vold -zygote } ion_device:chr_file r_file_perms;
auditallow domain_deprecated ion_device:chr_file { write append };
# Read access to pseudo filesystems.
r_dir_file(domain_deprecated, proc)
r_dir_file(domain_deprecated, sysfs)
r_dir_file(domain_deprecated, inotify)
r_dir_file(domain_deprecated, cgroup)
allow domain_deprecated proc_meminfo:file r_file_perms;
r_dir_file(domain_deprecated, proc_net)
#auditallow domain_deprecated proc:dir r_dir_perms; # r_dir_perms granted in domain
auditallow { domain_deprecated -fsck -fsck_untrusted -init -priv_app -rild -system_server -vold } proc:file r_file_perms;
auditallow { domain_deprecated -fsck -fsck_untrusted -init -priv_app -rild -system_server -vold } proc:lnk_file { open ioctl lock }; # getattr read granted in domain
auditallow { domain_deprecated -bluetooth -fingerprintd -healthd -init -netd -priv_app -rild -system_app -surfaceflinger -system_server -tee -ueventd -vold -wpa } sysfs:dir { open getattr read ioctl lock }; # search granted in domain
auditallow { domain_deprecated -bluetooth -fingerprintd -healthd -init -netd -priv_app -rild -system_app -surfaceflinger -system_server -tee -ueventd -vold -wpa } sysfs:file r_file_perms;
auditallow { domain_deprecated -bluetooth -fingerprintd -healthd -init -netd -priv_app -rild -system_app -surfaceflinger -system_server -tee -ueventd -vold -wpa } sysfs:lnk_file { getattr open ioctl lock }; # read granted in domain
auditallow domain_deprecated inotify:dir r_dir_perms;
auditallow domain_deprecated inotify:{ file lnk_file } r_file_perms;
auditallow {
domain_deprecated
-appdomain
-dumpstate
-fingerprintd
-healthd
-init
-inputflinger
-installd
-keystore
-netd
-rild
-surfaceflinger
-system_server
-zygote
} cgroup:dir r_dir_perms;
auditallow {
domain_deprecated
-appdomain
-dumpstate
-fingerprintd
-healthd
-init
-inputflinger
-installd
-keystore
-netd
-rild
-surfaceflinger
-system_server
-zygote
} cgroup:{ file lnk_file } r_file_perms;
auditallow { domain_deprecated -appdomain -init -priv_app -surfaceflinger -system_server -vold } proc_meminfo:file r_file_perms;
auditallow { domain_deprecated -appdomain -clatd -init -netd -system_server -vold -wpa -zygote } proc_net:dir { open getattr read ioctl lock }; # search granted in domain
auditallow {
domain_deprecated
-appdomain
-clatd
-dumpstate
-init
-netd
-system_server
-vold
-wpa
-zygote
} proc_net:{ file lnk_file } r_file_perms;
# Get SELinux enforcing status.
allow domain_deprecated selinuxfs:dir r_dir_perms;
allow domain_deprecated selinuxfs:file r_file_perms;
auditallow { domain_deprecated -appdomain -debuggerd -init -installd -keystore -postinstall_dexopt -runas -servicemanager -system_server -ueventd -zygote } selinuxfs:dir { open getattr read ioctl lock }; # search granted in domain
auditallow { domain_deprecated -appdomain -debuggerd -init -installd -keystore -postinstall_dexopt -runas -servicemanager -system_server -ueventd -zygote } selinuxfs:file { open read ioctl lock }; # getattr granted in domain
# World readable asec image contents
allow domain_deprecated asec_public_file:file r_file_perms;
allow domain_deprecated { asec_public_file asec_apk_file }:dir r_dir_perms;
auditallow domain_deprecated asec_public_file:file r_file_perms;
auditallow domain_deprecated { asec_public_file asec_apk_file }:dir r_dir_perms;