Allow the system to rename wallpaper files
am: 39cfed0b23
* commit '39cfed0b23c542cf4b95e0e2835c1886914f88ce':
Allow the system to rename wallpaper files
Change-Id: I4404f9f9d9ffb78af3c50beefd1b1f220662d181
diff --git a/Android.mk b/Android.mk
index 0bfa54d..22ddebb 100644
--- a/Android.mk
+++ b/Android.mk
@@ -100,8 +100,8 @@
$(LOCAL_BUILT_MODULE): $(sepolicy_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy $(HOST_OUT_EXECUTABLES)/sepolicy-analyze
@mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@.tmp $<
- $(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $(dir $<)/$(notdir $@).dontaudit $<.dontaudit
+ $(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@.tmp $< > /dev/null
+ $(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $(dir $<)/$(notdir $@).dontaudit $<.dontaudit > /dev/null
$(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp permissive > $@.permissivedomains
$(hide) if [ "$(TARGET_BUILD_VARIANT)" = "user" -a -s $@.permissivedomains ]; then \
echo "==========" 1>&2; \
@@ -138,7 +138,7 @@
$(LOCAL_BUILT_MODULE): $(sepolicy_policy_recovery.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy $(HOST_OUT_EXECUTABLES)/sepolicy-analyze
@mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@.tmp $<
+ $(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@.tmp $< > /dev/null
$(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp permissive > $@.permissivedomains
$(hide) if [ "$(TARGET_BUILD_VARIANT)" = "user" -a -s $@.permissivedomains ]; then \
echo "==========" 1>&2; \
@@ -188,7 +188,7 @@
$(LOCAL_BUILT_MODULE): PRIVATE_BUILT_SEPOLICY.CONF := $(built_general_sepolicy.conf)
$(LOCAL_BUILT_MODULE): $(built_general_sepolicy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
@mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@ $(PRIVATE_BUILT_SEPOLICY.CONF)
+ $(hide) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c $(POLICYVERS) -o $@ $(PRIVATE_BUILT_SEPOLICY.CONF) > /dev/null
built_general_sepolicy := $(LOCAL_BUILT_MODULE)
##################################
diff --git a/adbd.te b/adbd.te
index b44cf0d..3623180 100644
--- a/adbd.te
+++ b/adbd.te
@@ -107,3 +107,13 @@
# accesses to the underlying FS.
allow adbd media_rw_data_file:dir create_dir_perms;
allow adbd media_rw_data_file:file create_file_perms;
+
+###
+### Neverallow rules
+###
+
+# No transitions from adbd to non-shell domains. adbd only ever
+# transitions to the shell domain. In particular, we never want
+# to see a transition from adbd to su (aka "adb root")
+neverallow adbd { domain -shell }:process transition;
+neverallow adbd { domain userdebug_or_eng(`-su') }:process dyntransition;
diff --git a/app.te b/app.te
index 56cecb5..33d1136 100644
--- a/app.te
+++ b/app.te
@@ -71,10 +71,6 @@
allow { appdomain -isolated_app } app_data_file:dir create_dir_perms;
allow { appdomain -isolated_app } app_data_file:notdevfile_class_set create_file_perms;
-# lib subdirectory of /data/data dir is system-owned.
-allow appdomain system_data_file:dir r_dir_perms;
-allow appdomain system_data_file:file { execute execute_no_trans open execmod };
-
# Traverse into expanded storage
allow appdomain mnt_expand_file:dir r_dir_perms;
@@ -430,7 +426,6 @@
dev_type
rootfs
system_file
- security_file
tmpfs
}:lnk_file no_w_file_perms;
diff --git a/debuggerd.te b/debuggerd.te
index 9212d0e..cf64079 100644
--- a/debuggerd.te
+++ b/debuggerd.te
@@ -19,7 +19,6 @@
-ueventd
-watchdogd
}:process { ptrace getattr };
-security_access_policy(debuggerd)
allow debuggerd tombstone_data_file:dir rw_dir_perms;
allow debuggerd tombstone_data_file:file create_file_perms;
allow debuggerd shared_relro_file:dir r_dir_perms;
diff --git a/domain.te b/domain.te
index bed4e67..bb8badd 100644
--- a/domain.te
+++ b/domain.te
@@ -190,29 +190,13 @@
# Only recovery needs mac_admin to set contexts not defined in current policy.
neverallow { domain -recovery } self:capability2 mac_admin;
-# Only init should be able to load SELinux policies.
-# The first load technically occurs while still in the kernel domain,
-# but this does not trigger a denial since there is no policy yet.
-# Policy reload requires allowing this to the init domain.
-neverallow { domain -init } kernel:security load_policy;
+# Once the policy has been loaded there shall be none to modify the policy.
+# It is sealed.
+neverallow * kernel:security load_policy;
-# Only init and the system_server can set selinux.reload_policy 1
-# to trigger a policy reload.
+# Only init and the system_server shall use the property_service.
neverallow { domain -init -system_server } security_prop:property_service set;
-# Only init and system_server can write to /data/security, where runtime
-# policy updates live.
-# Only init can relabel /data/security (for init.rc restorecon_recursive /data).
-neverallow { domain -init } security_file:{ dir file lnk_file } { relabelfrom relabelto };
-# Only init and system_server can create/setattr directories with this type.
-# init is for init.rc mkdir /data/security.
-# system_server is for creating subdirectories under /data/security.
-neverallow { domain -init -system_server } security_file:dir { create setattr };
-# Only system_server can create subdirectories and files under /data/security.
-neverallow { domain -system_server } security_file:dir { rename write add_name remove_name rmdir };
-neverallow { domain -system_server } security_file:file { create setattr write append unlink link rename };
-neverallow { domain -system_server } security_file:lnk_file { create setattr unlink rename };
-
# Only init prior to switching context should be able to set enforcing mode.
# init starts in kernel domain and switches to init domain via setcon in
# the init.rc, so the setenforce occurs while still in kernel. After
@@ -228,15 +212,27 @@
# that could be set from init.rc.
neverallow { domain -init } kernel:security setsecparam;
-# Only init, ueventd and system_server should be able to access HW RNG
-neverallow { domain -init -system_server -ueventd } hw_random_device:chr_file *;
+# Only init, ueventd, shell and system_server should be able to access HW RNG
+neverallow {
+ domain
+ -init
+ -shell # For CTS and is restricted to getattr in shell.te
+ -system_server
+ -ueventd
+} hw_random_device:chr_file *;
# Ensure that all entrypoint executables are in exec_type or postinstall_file.
neverallow * { file_type -exec_type -postinstall_file }:file entrypoint;
# Ensure that nothing in userspace can access /dev/mem or /dev/kmem
-neverallow { domain -kernel -ueventd -init } kmem_device:chr_file *;
-neverallow * kmem_device:chr_file ~{ create relabelto unlink setattr };
+neverallow {
+ domain
+ -init
+ -kernel
+ -shell # For CTS and is restricted to getattr in shell.te
+ -ueventd
+} kmem_device:chr_file *;
+neverallow * kmem_device:chr_file ~{ create relabelto unlink setattr getattr };
# Only init should be able to configure kernel usermodehelpers or
# security-sensitive proc settings.
@@ -252,7 +248,7 @@
# Don't allow raw read/write/open access to block_device
# Rather force a relabel to a more specific type
-neverallow { domain -kernel -init -recovery -uncrypt } block_device:blk_file { open read write };
+neverallow { domain -kernel -init -recovery } block_device:blk_file { open read write };
# Don't allow raw read/write/open access to generic devices.
# Rather force a relabel to a more specific type.
@@ -343,7 +339,13 @@
neverallow { domain -init } default_prop:property_service set;
neverallow { domain -init } mmc_prop:property_service set;
-neverallow { domain -init -recovery -system_server } frp_block_device:blk_file rw_file_perms;
+neverallow {
+ domain
+ -init
+ -recovery
+ -system_server
+ -shell # Shell is further restricted in shell.te
+} frp_block_device:blk_file rw_file_perms;
# No domain other than recovery and update_engine can write to system partition(s).
neverallow { domain -recovery -update_engine } system_block_device:blk_file write;
@@ -426,7 +428,6 @@
# which, long term, need to go away.
neverallow * {
file_type
- -system_data_file
-apk_data_file
-app_data_file
-asec_public_file
@@ -470,6 +471,21 @@
# to installd
neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink };
+# respect system_app sandboxes
+neverallow {
+ domain
+ -system_app # its own sandbox
+ -system_server #populate com.android.providers.settings/databases/settings.db.
+ -installd # creation of app sandbox
+} system_app_data_file:dir_file_class_set { create unlink open };
+
+# Services should respect app sandboxes
+neverallow {
+ domain
+ -appdomain
+ -installd # creation of sandbox
+} app_data_file:dir_file_class_set { create unlink };
+
#
# Only these domains should transition to shell domain. This domain is
# permissible for the "shell user". If you need a process to exec a shell
@@ -577,6 +593,7 @@
-priv_app
-recovery
-sdcardd
+ -shell # Restricted by shell.te to only getattr
-system_server
-ueventd
-vold
diff --git a/domain_deprecated.te b/domain_deprecated.te
index e5bfb1c..8b04879 100644
--- a/domain_deprecated.te
+++ b/domain_deprecated.te
@@ -31,7 +31,6 @@
allow domain_deprecated system_file:lnk_file r_file_perms;
# Read files already opened under /data.
-allow domain_deprecated system_data_file:dir { search getattr };
allow domain_deprecated system_data_file:file { getattr read };
allow domain_deprecated system_data_file:lnk_file r_file_perms;
@@ -64,11 +63,6 @@
allow domain_deprecated selinuxfs:dir r_dir_perms;
allow domain_deprecated selinuxfs:file r_file_perms;
-# /data/security files
-allow domain_deprecated security_file:dir { search getattr };
-allow domain_deprecated security_file:file getattr;
-allow domain_deprecated security_file:lnk_file r_file_perms;
-
# World readable asec image contents
allow domain_deprecated asec_public_file:file r_file_perms;
allow domain_deprecated { asec_public_file asec_apk_file }:dir r_dir_perms;
diff --git a/file.te b/file.te
index c6b2a49..347aec9 100644
--- a/file.te
+++ b/file.te
@@ -23,7 +23,6 @@
type cgroup, fs_type, mlstrustedobject;
type sysfs, fs_type, sysfs_type, mlstrustedobject;
type sysfs_uio, sysfs_type, fs_type;
-type sysfs_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_batteryinfo, fs_type, sysfs_type;
type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_hwrandom, fs_type, sysfs_type;
@@ -188,8 +187,6 @@
type asec_image_file, file_type, data_file_type;
# /data/backup and /data/secure/backup
type backup_data_file, file_type, data_file_type, mlstrustedobject;
-# For /data/security
-type security_file, file_type;
# All devices have bluetooth efs files. But they
# vary per device, so this type is used in per
# device policy
diff --git a/file_contexts b/file_contexts
index 75edcc9..003e4de 100644
--- a/file_contexts
+++ b/file_contexts
@@ -239,7 +239,6 @@
/data/unencrypted(/.*)? u:object_r:unencrypted_data_file:s0
/data/backup(/.*)? u:object_r:backup_data_file:s0
/data/secure/backup(/.*)? u:object_r:backup_data_file:s0
-/data/security(/.*)? u:object_r:security_file:s0
/data/system/ndebugsocket u:object_r:system_ndebug_socket:s0
/data/drm(/.*)? u:object_r:drm_data_file:s0
/data/gps(/.*)? u:object_r:gps_data_file:s0
diff --git a/file_contexts_asan b/file_contexts_asan
index 5ffd7e2..5813d32 100644
--- a/file_contexts_asan
+++ b/file_contexts_asan
@@ -1,2 +1,4 @@
/data/lib(/.*)? u:object_r:system_file:s0
+/data/lib64(/.*)? u:object_r:system_file:s0
/data/vendor/lib(/.*)? u:object_r:system_file:s0
+/data/vendor/lib64(/.*)? u:object_r:system_file:s0
diff --git a/init.te b/init.te
index d8ed8b8..03ae1c4 100644
--- a/init.te
+++ b/init.te
@@ -102,11 +102,63 @@
# init.<board>.rc files often include device-specific types, so
# we just allow all file types except /system files here.
allow init self:capability { chown fowner fsetid };
-allow init {file_type -system_file -exec_type -app_data_file}:dir { create search getattr open read setattr ioctl };
-allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file -misc_logd_file }:dir { write add_name remove_name rmdir relabelfrom };
-allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file -misc_logd_file }:file { create getattr open read write setattr relabelfrom unlink };
-allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file -misc_logd_file }:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
-allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file -misc_logd_file }:lnk_file { create getattr setattr relabelfrom unlink };
+
+allow init {
+ file_type
+ -system_file
+ -exec_type
+ -app_data_file
+ -system_app_data_file
+}:dir { create search getattr open read setattr ioctl };
+
+allow init {
+ file_type
+ -system_file
+ -exec_type
+ -keystore_data_file
+ -app_data_file
+ -system_app_data_file
+ -shell_data_file
+ -vold_data_file
+ -misc_logd_file
+}:dir { write add_name remove_name rmdir relabelfrom };
+
+allow init {
+ file_type
+ -system_file
+ -exec_type
+ -keystore_data_file
+ -app_data_file
+ -system_app_data_file
+ -shell_data_file
+ -vold_data_file
+ -misc_logd_file
+}:file { create getattr open read write setattr relabelfrom unlink };
+
+allow init {
+ file_type
+ -system_file
+ -exec_type
+ -keystore_data_file
+ -app_data_file
+ -system_app_data_file
+ -shell_data_file
+ -vold_data_file
+ -misc_logd_file
+}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
+
+allow init {
+ file_type
+ -system_file
+ -exec_type
+ -keystore_data_file
+ -app_data_file
+ -system_app_data_file
+ -shell_data_file
+ -vold_data_file
+ -misc_logd_file
+}:lnk_file { create getattr setattr relabelfrom unlink };
+
allow init {file_type -system_file -exec_type}:dir_file_class_set relabelto;
allow init { sysfs debugfs }:{ dir file lnk_file } { getattr relabelfrom };
allow init { sysfs_type debugfs_type }:{ dir file lnk_file } relabelto;
@@ -127,15 +179,6 @@
allow init unlabeled:dir { create_dir_perms relabelfrom };
allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
-# Create /data/security from init.rc post-fs-data.
-allow init security_file:dir { create setattr };
-
-# Reload policy upon setprop selinux.reload_policy 1.
-# Note: this requires the following allow rule
-# allow init kernel:security load_policy;
-# which can be configured on a device-by-device basis if needed.
-r_dir_file(init, security_file)
-
# Any operation that can modify the kernel ring buffer, e.g. clear
# or a read that consumes the messages that were read.
allow init kernel:system syslog_mod;
diff --git a/install_recovery.te b/install_recovery.te
index 1c47236..b11ff74 100644
--- a/install_recovery.te
+++ b/install_recovery.te
@@ -21,11 +21,8 @@
allow install_recovery recovery_block_device:blk_file rw_file_perms;
# Create and delete /cache/saved.file
-allow install_recovery { cache_file cache_recovery_file }:dir rw_dir_perms;
-allow install_recovery { cache_file cache_recovery_file }:file create_file_perms;
-
-auditallow install_recovery cache_recovery_file:dir rw_dir_perms;
-auditallow install_recovery cache_recovery_file:file create_file_perms;
+allow install_recovery cache_file:dir rw_dir_perms;
+allow install_recovery cache_file:file create_file_perms;
# Write to /proc/sys/vm/drop_caches
allow install_recovery proc_drop_caches:file w_file_perms;
diff --git a/installd.te b/installd.te
index 0e64041..a66f9ff 100644
--- a/installd.te
+++ b/installd.te
@@ -24,8 +24,6 @@
allow installd mnt_expand_file:dir { search getattr };
# Check validity of SELinux context before use.
selinux_check_context(installd)
-# Read /seapp_contexts and /data/security/seapp_contexts
-security_access_policy(installd)
# Search /data/app-asec and stat files in it.
allow installd asec_image_file:dir search;
diff --git a/property_contexts b/property_contexts
index 70a8080..596a9fb 100644
--- a/property_contexts
+++ b/property_contexts
@@ -38,6 +38,7 @@
service.adb.tcp.port u:object_r:shell_prop:s0
persist.audio. u:object_r:audio_prop:s0
+persist.bluetooth. u:object_r:bluetooth_prop:s0
persist.debug. u:object_r:persist_debug_prop:s0
persist.logd. u:object_r:logd_prop:s0
persist.logd.security u:object_r:device_logging_prop:s0
diff --git a/runas.te b/runas.te
index 4fa686a..58a1bdc 100644
--- a/runas.te
+++ b/runas.te
@@ -20,8 +20,6 @@
allow runas self:capability { setuid setgid };
# run-as switches to the app security context.
-# read /seapp_contexts and /data/security/seapp_contexts
-security_access_policy(runas)
selinux_check_context(runas) # validate context
allow runas self:process setcurrent;
allow runas non_system_app_set:process dyntransition; # setcon
diff --git a/shell.te b/shell.te
index d8c6dd4..991a337 100644
--- a/shell.te
+++ b/shell.te
@@ -131,6 +131,22 @@
allow shell media_rw_data_file:dir create_dir_perms;
allow shell media_rw_data_file:file create_file_perms;
+#
+# filesystem test for insecure chr_file's is done
+# via a host side test
+#
+allow shell dev_type:dir r_dir_perms;
+allow shell dev_type:chr_file getattr;
+
+# /dev/fd is a symlink
+allow shell proc:lnk_file getattr;
+
+#
+# filesystem test for insucre blk_file's is done
+# via hostside test
+#
+allow shell dev_type:blk_file getattr;
+
###
### Neverallow rules
###
@@ -145,3 +161,14 @@
# Do not allow privileged socket ioctl commands
neverallowxperm shell domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+
+# limit shell access to sensitive char drivers to
+# only getattr required for host side test.
+neverallow shell {
+ fuse_device
+ hw_random_device
+ kmem_device
+}:chr_file ~getattr;
+
+# Limit shell to only getattr on blk devices for host side tests.
+neverallow shell dev_type:blk_file ~getattr;
diff --git a/su.te b/su.te
index f58f7a3..5c98258 100644
--- a/su.te
+++ b/su.te
@@ -52,4 +52,5 @@
dontaudit su domain:debuggerd *;
dontaudit su domain:drmservice *;
dontaudit su unlabeled:filesystem *;
+ dontaudit su postinstall_file:filesystem *;
')
diff --git a/system_app.te b/system_app.te
index b3f4b30..3749644 100644
--- a/system_app.te
+++ b/system_app.te
@@ -26,6 +26,7 @@
allow system_app icon_file:file r_file_perms;
# Write to properties
+set_prop(system_app, bluetooth_prop)
set_prop(system_app, debug_prop)
set_prop(system_app, system_prop)
set_prop(system_app, logd_prop)
diff --git a/system_server.te b/system_server.te
index 67dc16a..8df665c 100644
--- a/system_server.te
+++ b/system_server.te
@@ -121,9 +121,6 @@
# 3rd party VPN clients require a tun_socket to be created
allow system_server self:tun_socket create_socket_perms;
-# Notify init of death.
-allow system_server init:process sigchld;
-
# Talk to init and various daemons via sockets.
unix_socket_connect(system_server, installd, installd)
unix_socket_connect(system_server, lmkd, lmkd)
@@ -280,9 +277,6 @@
# Receive and use open /data/media files passed over binder IPC.
allow system_server media_rw_data_file:file { getattr read write };
-# Read /file_contexts and /data/security/file_contexts
-security_access_policy(system_server)
-
# Relabel apk files.
allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto };
allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto };
@@ -345,8 +339,9 @@
allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms };
allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms;
-# Run system programs, e.g. dexopt.
+# Run system programs, e.g. dexopt. Needed? (b/28035297)
allow system_server system_file:file x_file_perms;
+auditallow system_server system_file:file execute_no_trans;
# LocationManager(e.g, GPS) needs to read and write
# to uart driver and ctrl proc entry
@@ -522,12 +517,22 @@
neverallow system_server sdcard_type:dir { open read write };
neverallow system_server sdcard_type:file rw_file_perms;
-# system server should never be opening zygote spawned app data
+# system server should never be operating on zygote spawned app data
# files directly. Rather, they should always be passed via a
# file descriptor.
# Types extracted from seapp_contexts type= fields, excluding
# those types that system_server needs to open directly.
-neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app_data_file }:file open;
+neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app_data_file }:file { open create unlink link };
+
+# Forking and execing is inherently dangerous and racy. See, for
+# example, https://www.linuxprogrammingblog.com/threads-and-fork-think-twice-before-using-them
+# Prevent the addition of new file execs to stop the problem from
+# getting worse. b/28035297
+neverallow system_server { file_type -toolbox_exec -logcat_exec -system_file }:file execute_no_trans;
+
+# System server should never transition to a new domain. This compliments
+# and enforces the already pre-existing PR_SET_NO_NEW_PRIVS flag.
+neverallow system_server *:process { transition dyntransition };
# system_server should never be executing dex2oat. This is either
# a bug (for example, bug 16317188), or represents an attempt by
@@ -535,7 +540,8 @@
# want to allow.
neverallow system_server dex2oat_exec:file no_x_file_perms;
-# system_server should never execute anything from /data except for /data/dalvik-cache files.
+# system_server should never execute or load executable shared libraries
+# in /data except for /data/dalvik-cache files.
neverallow system_server {
data_file_type
-dalvikcache_data_file #mapping with PROT_EXEC
diff --git a/te_macros b/te_macros
index 488ef9b..af99bd2 100644
--- a/te_macros
+++ b/te_macros
@@ -13,7 +13,7 @@
# New domain is entered by executing the file.
allow $3 $2:file { entrypoint open read execute getattr };
# New domain can send SIGCHLD to its caller.
-allow $3 $1:process sigchld;
+ifelse($1, `init', `', `allow $3 $1:process sigchld;')
# Enable AT_SECURE, i.e. libc secure mode.
dontaudit $1 $3:process noatsecure;
# XXX dontaudit candidate but requires further study.
@@ -249,27 +249,6 @@
')
#####################################
-# security_access_policy(domain)
-# Read only access to all policy files and
-# selinuxfs
-define(`security_access_policy', `
-allow $1 security_file:dir r_dir_perms;
-allow $1 security_file:file r_file_perms;
-')
-
-#####################################
-# mmac_manage_policy(domain)
-# Ability to manage mmac policy files,
-# trigger runtime reload, change
-# mmac enforcing mode and access logcat.
-define(`mmac_manage_policy', `
-allow $1 security_file:dir create_dir_perms;
-allow $1 security_file:file create_file_perms;
-allow $1 security_file:lnk_file { create rename unlink };
-set_prop($1, security_prop)
-')
-
-#####################################
# create_pty(domain)
# Allow domain to create and use a pty, isolated from any other domain ptys.
define(`create_pty', `
diff --git a/ueventd.te b/ueventd.te
index 3881445..3c4ba20 100644
--- a/ueventd.te
+++ b/ueventd.te
@@ -8,8 +8,6 @@
type_transition ueventd device:chr_file klog_device "__kmsg__";
allow ueventd klog_device:chr_file { create open write unlink };
-security_access_policy(ueventd)
-allow ueventd init:process sigchld;
allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
allow ueventd device:file create_file_perms;
allow ueventd device:chr_file rw_file_perms;
diff --git a/uncrypt.te b/uncrypt.te
index c8840dd..2ebde86 100644
--- a/uncrypt.te
+++ b/uncrypt.te
@@ -27,8 +27,6 @@
# Raw writes to block device
allow uncrypt self:capability sys_rawio;
-allow uncrypt block_device:blk_file w_file_perms;
-auditallow uncrypt block_device:blk_file w_file_perms;
allow uncrypt misc_block_device:blk_file w_file_perms;
allow uncrypt block_device:dir r_dir_perms;
diff --git a/untrusted_app.te b/untrusted_app.te
index 6bc6843..b39ace0 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -89,15 +89,9 @@
# gdbserver for ndk-gdb ptrace attaches to app process.
allow untrusted_app self:process ptrace;
-# Programs routinely attempt to scan through /system, looking
-# for files. Suppress the denials when they occur.
-dontaudit untrusted_app exec_type:file getattr;
-
# TODO: switch to meminfo service
allow untrusted_app proc_meminfo:file r_file_perms;
-# https://code.google.com/p/chromium/issues/detail?id=586021
-allow untrusted_app proc:file r_file_perms;
# access /proc/net/xt_qtguid/stats
r_dir_file(untrusted_app, proc_net)
@@ -169,10 +163,6 @@
neverallow untrusted_app { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
neverallow untrusted_app { cache_file cache_recovery_file }:file ~{ read getattr };
-# Do not allow untrusted_app to set system properties.
-neverallow untrusted_app property_socket:sock_file write;
-neverallow untrusted_app property_type:property_service set;
-
# Do not allow untrusted_app to create/unlink files outside of its sandbox,
# internal storage or sdcard.
# World accessible data locations allow application to fill the device
diff --git a/vold.te b/vold.te
index 6d5d994..75b6f36 100644
--- a/vold.te
+++ b/vold.te
@@ -125,7 +125,6 @@
# ASEC
allow vold asec_image_file:file create_file_perms;
allow vold asec_image_file:dir rw_dir_perms;
-security_access_policy(vold)
allow vold asec_apk_file:dir { create_dir_perms mounton relabelfrom relabelto };
allow vold asec_public_file:dir { relabelto setattr };
allow vold asec_apk_file:file { r_file_perms setattr relabelfrom relabelto };
diff --git a/zygote.te b/zygote.te
index 89dccfc..9e155ef 100644
--- a/zygote.te
+++ b/zygote.te
@@ -43,8 +43,6 @@
selinux_check_context(zygote)
# Check SELinux permissions.
selinux_check_access(zygote)
-# Read /seapp_contexts and /data/security/seapp_contexts
-security_access_policy(zygote)
# Native bridge functionality requires that zygote replaces
# /proc/cpuinfo with /system/lib/<ISA>/cpuinfo using a bind mount