Merge "Fix lock logspam and remove domain_deprecated rule" into oc-dev

6f108fd8 · Nick Kralevich · Android (Google) Code Review · c0e6cb58 · 4a580cca · 6f108fd8
Commit 6f108fd8 authored 7 years ago by Nick Kralevich Committed by Android (Google) Code Review 7 years ago
--- a/public/dex2oat.te
+++ b/public/dex2oat.te
@@ -13,6 +13,9 @@ allow dex2oat dalvikcache_data_file:file write;
 allow dex2oat dalvikcache_data_file:lnk_file read;
 allow dex2oat installd:fd use;
+# Acquire advisory lock on /system/framework/arm/*
+allow dex2oat system_file:file lock;
 # Read already open asec_apk_file file descriptors passed by installd.
 # Also allow reading unlabeled files, to allow for upgrading forward
 # locked APKs.

--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te
@@ -71,7 +71,6 @@ auditallow {
 # System file accesses.
 allow domain_deprecated system_file:dir r_dir_perms;
-allow domain_deprecated system_file:file r_file_perms;
 userdebug_or_eng(`
 auditallow {
  domain_deprecated
@@ -86,14 +85,6 @@ auditallow {
  -vold
  -zygote
 } system_file:dir { open read ioctl lock }; # search getattr in domain
-auditallow {
-  domain_deprecated
-  -appdomain
-  -rild
-  -surfaceflinger
-  -system_server
-  -zygote
-} system_file:file { ioctl lock }; # read open getattr in domain
 ')
 # Read files already opened under /data.

--- a/public/netd.te
+++ b/public/netd.te
@@ -29,6 +29,9 @@ allow netd shell_exec:file rx_file_perms;
 allow netd system_file:file x_file_perms;
 allow netd devpts:chr_file rw_file_perms;
+# Acquire advisory lock on /system/etc/xtables.lock
+allow netd system_file:file lock;
 r_dir_file(netd, proc_net)
 # For /proc/sys/net/ipv[46]/route/flush.
 allow netd proc_net:file rw_file_perms;