From 11dc03e5a2c65c4f3ca9a5b6fd0eb688447433bd Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Mon, 21 Nov 2016 14:38:17 -0800
Subject: [PATCH] access_vectors: Remove unused permission definitions

Description stolen from
https://github.com/torvalds/linux/commit/42a9699a9fa179c0054ea3cf5ad3cc67104a6162

Remove unused permission definitions from SELinux.
Many of these were only ever used in pre-mainline
versions of SELinux, prior to Linux 2.6.0.  Some of them
were used in the legacy network or compat_net=1 checks
that were disabled by default in Linux 2.6.18 and
fully removed in Linux 2.6.30.

Permissions never used in mainline Linux:
file swapon
filesystem transition
tcp_socket { connectto newconn acceptfrom }
node enforce_dest
unix_stream_socket { newconn acceptfrom }

Legacy network checks, removed in 2.6.30:
socket { recv_msg send_msg }
node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }

Test: policy compiles and no boot errors (marlin)
Change-Id: Idaef2567666f80db39c3e3cee70e760e1dac73ec
---
 private/access_vectors | 26 --------------------------
 public/te_macros       |  2 +-
 2 files changed, 1 insertion(+), 27 deletions(-)

diff --git a/private/access_vectors b/private/access_vectors
index 26286b238..6393c166d 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -24,7 +24,6 @@ common file
 	link
 	rename
 	execute
-	swapon
 	quotaon
 	mounton
 }
@@ -57,8 +56,6 @@ common socket
 	shutdown
 	recvfrom
 	sendto
-	recv_msg
-	send_msg
 	name_bind
 }
 
@@ -97,7 +94,6 @@ class filesystem
 	getattr
 	relabelfrom
 	relabelto
-	transition
 	associate
 	quotamod
 	quotaget
@@ -184,9 +180,6 @@ inherits socket
 class tcp_socket
 inherits socket
 {
-	connectto
-	newconn
-	acceptfrom
 	node_bind
 	name_connect
 }
@@ -205,29 +198,12 @@ inherits socket
 
 class node
 {
-	tcp_recv
-	tcp_send
-	udp_recv
-	udp_send
-	rawip_recv
-	rawip_send
-	enforce_dest
-	dccp_recv
-	dccp_send
 	recvfrom
 	sendto
 }
 
 class netif
 {
-	tcp_recv
-	tcp_send
-	udp_recv
-	udp_send
-	rawip_recv
-	rawip_send
-	dccp_recv
-	dccp_send
 	ingress
 	egress
 }
@@ -245,8 +221,6 @@ class unix_stream_socket
 inherits socket
 {
 	connectto
-	newconn
-	acceptfrom
 }
 
 class unix_dgram_socket
diff --git a/public/te_macros b/public/te_macros
index a826e9683..df171f010 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -237,7 +237,7 @@ define(`selinux_check_access', `
 r_dir_file($1, selinuxfs)
 allow $1 selinuxfs:file w_file_perms;
 allow $1 kernel:security compute_av;
-allow $1 self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind };
+allow $1 self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind };
 ')
 
 #####################################
-- 
GitLab