From 4a580ccabb76dcb2548acb1b8c1fc9955ca58cb0 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Tue, 4 Apr 2017 18:34:52 -0700
Subject: [PATCH] Fix lock logspam and remove domain_deprecated rule

Remove system_file:file { lock ioctl } from domain_deprecated. The only
domains triggering this were dex2oat and netd, which are fixed in this
change.

Addresses the following logspam similar to:

  avc: granted { lock } for comm="iptables"
  path="/system/etc/xtables.lock" dev="sda22" ino=3745
  scontext=u:r:netd:s0 tcontext=u:object_r:system_file:s0 tclass=file

  avc: granted { lock } for comm="dex2oat"
  path="/system/framework/arm/boot-okhttp.art" dev="dm-0" ino=1295
  scontext=u:r:dex2oat:s0 tcontext=u:object_r:system_file:s0 tclass=file

Test: device boots and no obvious problems.
Bug: 28760354
Bug: 36879751
Change-Id: Iac851c0e49a52ce4000fdfe16e68c17ff819693f
---
 public/dex2oat.te           | 3 +++
 public/domain_deprecated.te | 9 ---------
 public/netd.te              | 3 +++
 3 files changed, 6 insertions(+), 9 deletions(-)

diff --git a/public/dex2oat.te b/public/dex2oat.te
index 6421d930c..1d794e221 100644
--- a/public/dex2oat.te
+++ b/public/dex2oat.te
@@ -13,6 +13,9 @@ allow dex2oat dalvikcache_data_file:file write;
 allow dex2oat dalvikcache_data_file:lnk_file read;
 allow dex2oat installd:fd use;
 
+# Acquire advisory lock on /system/framework/arm/*
+allow dex2oat system_file:file lock;
+
 # Read already open asec_apk_file file descriptors passed by installd.
 # Also allow reading unlabeled files, to allow for upgrading forward
 # locked APKs.
diff --git a/public/domain_deprecated.te b/public/domain_deprecated.te
index aa6ec4e7e..97777533d 100644
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te
@@ -71,7 +71,6 @@ auditallow {
 
 # System file accesses.
 allow domain_deprecated system_file:dir r_dir_perms;
-allow domain_deprecated system_file:file r_file_perms;
 userdebug_or_eng(`
 auditallow {
   domain_deprecated
@@ -86,14 +85,6 @@ auditallow {
   -vold
   -zygote
 } system_file:dir { open read ioctl lock }; # search getattr in domain
-auditallow {
-  domain_deprecated
-  -appdomain
-  -rild
-  -surfaceflinger
-  -system_server
-  -zygote
-} system_file:file { ioctl lock }; # read open getattr in domain
 ')
 
 # Read files already opened under /data.
diff --git a/public/netd.te b/public/netd.te
index 81f4af42b..939d714f9 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -29,6 +29,9 @@ allow netd shell_exec:file rx_file_perms;
 allow netd system_file:file x_file_perms;
 allow netd devpts:chr_file rw_file_perms;
 
+# Acquire advisory lock on /system/etc/xtables.lock
+allow netd system_file:file lock;
+
 r_dir_file(netd, proc_net)
 # For /proc/sys/net/ipv[46]/route/flush.
 allow netd proc_net:file rw_file_perms;
-- 
GitLab