Remove domain_deprecated from adbd and shell

The extra permissions are not needed. Delete them. This change also adds read permission for /data/misc/zoneinfo back to all domains. libc refernces this directory for timezone related files, and it feels dangerous and of little value to try to restrict access. In particular, this causes problems when the shell user attempts to run "ls -la" to show file time stamps in the correct timezone. Bug: 25433265 Change-Id: I666bb460e440515151e3bf46fe2e0ac0e7c99f46

Remove domain_deprecated from adbd and shell
The extra permissions are not needed. Delete them. This change also adds read permission for /data/misc/zoneinfo back to all domains. libc refernces this directory for timezone related files, and it feels dangerous and of little value to try to restrict access. In particular, this causes problems when the shell user attempts to run "ls -la" to show file time stamps in the correct timezone. Bug: 25433265 Change-Id: I666bb460e440515151e3bf46fe2e0ac0e7c99f46
8ca19368 · Nick Kralevich · 9a3d1c6b · 8ca19368 · 8ca19368 · 8ca19368
Commit 8ca19368 authored 9 years ago by Nick Kralevich
--- a/adbd.te
+++ b/adbd.te
 # adbd seclabel is specified in init.rc since
 # it lives in the rootfs and has no unique file type.
-type adbd, domain, domain_deprecated, mlstrustedsubject;
+type adbd, domain, mlstrustedsubject;

 userdebug_or_eng(`
  allow adbd self:process setcurrent;

--- a/domain.te
+++ b/domain.te
@@ -88,6 +88,9 @@ allow domain system_file:dir { search getattr };
 allow domain system_file:file { execute read open getattr };
 allow domain system_file:lnk_file read;

+# libc references /data/misc/zoneinfo for timezone related information
+r_dir_file(domain, zoneinfo_data_file)
+
 # files under /data.
 allow domain system_data_file:dir { search getattr };
 allow domain system_data_file:lnk_file read;

--- a/domain_deprecated.te
+++ b/domain_deprecated.te
@@ -53,9 +53,6 @@ allow domain_deprecated cache_file:dir r_dir_perms;
 allow domain_deprecated cache_file:file { getattr read };
 allow domain_deprecated cache_file:lnk_file r_file_perms;

-# Read timezone related information
-r_dir_file(domain_deprecated, zoneinfo_data_file)
-
 # For /acct/uid/*/tasks.
 allow domain_deprecated cgroup:dir { search write };
 allow domain_deprecated cgroup:file w_file_perms;

--- a/shell.te
+++ b/shell.te
 # Domain for shell processes spawned by ADB or console service.
-type shell, domain, domain_deprecated, mlstrustedsubject;
+type shell, domain, mlstrustedsubject;
 type shell_exec, exec_type, file_type;

 # Create and use network sockets.
@@ -21,6 +21,10 @@ userdebug_or_eng(`
  allow shell misc_logd_file:file r_file_perms;
 ')

+# interact with adb
+allow shell adbd:fd use;
+allow shell adbd:unix_stream_socket { read write ioctl getattr };
+
 # read files in /data/anr
 allow shell anr_data_file:dir r_dir_perms;
 allow shell anr_data_file:file r_file_perms;
@@ -82,6 +86,8 @@ allow shell servicemanager:service_manager list;
 allow shell { service_manager_type -gatekeeper_service }:service_manager find;

 # allow shell to look through /proc/ for ps, top
+r_dir_file(shell, proc)
+r_dir_file(shell, cgroup)
 allow shell domain:dir { search open read getattr };
 allow shell domain:{ file lnk_file } { open read getattr };