From 24ad5143679ae5dabdcf24439b32f951db69a64c Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Sat, 1 Oct 2016 20:47:01 -0700
Subject: [PATCH] gatekeeperd: remove domain_deprecated attribute

Test: builds/boots on Angler. No "granted" messages for the removed
permissions observed in three months of log audits.

Bug: 28760354
Change-Id: I0a6363f094c41392469f438c4399c93ed53fb5ac
---
 domain_deprecated.te | 6 +++---
 gatekeeperd.te       | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/domain_deprecated.te b/domain_deprecated.te
index c363a6c46..b8ad83c5a 100644
--- a/domain_deprecated.te
+++ b/domain_deprecated.te
@@ -78,7 +78,7 @@ auditallow { domain_deprecated -init -system_server -vold } cache_file:lnk_file
 allow domain_deprecated ion_device:chr_file rw_file_perms;
 # split this auditallow into read and write perms since most domains seem to
 # only require read
-auditallow { domain_deprecated -appdomain -fingerprintd -gatekeeperd -keystore -surfaceflinger -system_server -tee -vold -zygote } ion_device:chr_file r_file_perms;
+auditallow { domain_deprecated -appdomain -fingerprintd -keystore -surfaceflinger -system_server -tee -vold -zygote } ion_device:chr_file r_file_perms;
 auditallow domain_deprecated ion_device:chr_file { write append };
 
 # Read access to pseudo filesystems.
@@ -96,8 +96,8 @@ auditallow { domain_deprecated -bluetooth -fingerprintd -healthd -init -netd -pr
 auditallow { domain_deprecated -bluetooth -fingerprintd -healthd -init -netd -priv_app -rild -system_app -surfaceflinger -system_server -tee -ueventd -vold -wpa } sysfs:lnk_file { getattr open ioctl lock }; # read granted in domain
 auditallow domain_deprecated inotify:dir r_dir_perms;
 auditallow domain_deprecated inotify:{ file lnk_file } r_file_perms;
-auditallow { domain_deprecated -appdomain -fingerprintd -gatekeeperd -healthd -init -inputflinger -installd -keystore -netd -rild -surfaceflinger -system_server -zygote } cgroup:dir r_dir_perms;
-auditallow { domain_deprecated -appdomain -fingerprintd -gatekeeperd -healthd -init -inputflinger -installd -keystore -netd -rild -surfaceflinger -system_server -zygote } cgroup:{ file lnk_file } r_file_perms;
+auditallow { domain_deprecated -appdomain -fingerprintd -healthd -init -inputflinger -installd -keystore -netd -rild -surfaceflinger -system_server -zygote } cgroup:dir r_dir_perms;
+auditallow { domain_deprecated -appdomain -fingerprintd -healthd -init -inputflinger -installd -keystore -netd -rild -surfaceflinger -system_server -zygote } cgroup:{ file lnk_file } r_file_perms;
 auditallow { domain_deprecated -appdomain -init -priv_app -surfaceflinger -system_server -vold } proc_meminfo:file r_file_perms;
 auditallow { domain_deprecated -appdomain -clatd -init -netd -system_server -vold -wpa -zygote } proc_net:dir { open getattr read ioctl lock }; # search granted in domain
 auditallow { domain_deprecated -appdomain -clatd -init -netd -system_server -vold -wpa -zygote } proc_net:{ file lnk_file } r_file_perms;
diff --git a/gatekeeperd.te b/gatekeeperd.te
index 3d9b60cd1..bc4fe81b4 100644
--- a/gatekeeperd.te
+++ b/gatekeeperd.te
@@ -1,4 +1,4 @@
-type gatekeeperd, domain, domain_deprecated;
+type gatekeeperd, domain;
 type gatekeeperd_exec, exec_type, file_type;
 
 # gatekeeperd
-- 
GitLab