From 8ca19368dae676ba8769c15ead2469a9f44e562e Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Fri, 27 Nov 2015 19:18:17 -0800
Subject: [PATCH] Remove domain_deprecated from adbd and shell

The extra permissions are not needed. Delete them.

This change also adds read permission for /data/misc/zoneinfo
back to all domains. libc refernces this directory for timezone
related files, and it feels dangerous and of little value to
try to restrict access. In particular, this causes problems when the
shell user attempts to run "ls -la" to show file time stamps in
the correct timezone.

Bug: 25433265
Change-Id: I666bb460e440515151e3bf46fe2e0ac0e7c99f46
---
 adbd.te              | 2 +-
 domain.te            | 3 +++
 domain_deprecated.te | 3 ---
 shell.te             | 8 +++++++-
 4 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/adbd.te b/adbd.te
index 1344fdb81..a35d570b8 100644
--- a/adbd.te
+++ b/adbd.te
@@ -1,6 +1,6 @@
 # adbd seclabel is specified in init.rc since
 # it lives in the rootfs and has no unique file type.
-type adbd, domain, domain_deprecated, mlstrustedsubject;
+type adbd, domain, mlstrustedsubject;
 
 userdebug_or_eng(`
   allow adbd self:process setcurrent;
diff --git a/domain.te b/domain.te
index f1b0d58b3..2d11bf7fb 100644
--- a/domain.te
+++ b/domain.te
@@ -88,6 +88,9 @@ allow domain system_file:dir { search getattr };
 allow domain system_file:file { execute read open getattr };
 allow domain system_file:lnk_file read;
 
+# libc references /data/misc/zoneinfo for timezone related information
+r_dir_file(domain, zoneinfo_data_file)
+
 # files under /data.
 allow domain system_data_file:dir { search getattr };
 allow domain system_data_file:lnk_file read;
diff --git a/domain_deprecated.te b/domain_deprecated.te
index 9c5432149..8d69a7fc0 100644
--- a/domain_deprecated.te
+++ b/domain_deprecated.te
@@ -53,9 +53,6 @@ allow domain_deprecated cache_file:dir r_dir_perms;
 allow domain_deprecated cache_file:file { getattr read };
 allow domain_deprecated cache_file:lnk_file r_file_perms;
 
-# Read timezone related information
-r_dir_file(domain_deprecated, zoneinfo_data_file)
-
 # For /acct/uid/*/tasks.
 allow domain_deprecated cgroup:dir { search write };
 allow domain_deprecated cgroup:file w_file_perms;
diff --git a/shell.te b/shell.te
index 3d2bb5be2..2a3faecb2 100644
--- a/shell.te
+++ b/shell.te
@@ -1,5 +1,5 @@
 # Domain for shell processes spawned by ADB or console service.
-type shell, domain, domain_deprecated, mlstrustedsubject;
+type shell, domain, mlstrustedsubject;
 type shell_exec, exec_type, file_type;
 
 # Create and use network sockets.
@@ -21,6 +21,10 @@ userdebug_or_eng(`
   allow shell misc_logd_file:file r_file_perms;
 ')
 
+# interact with adb
+allow shell adbd:fd use;
+allow shell adbd:unix_stream_socket { read write ioctl getattr };
+
 # read files in /data/anr
 allow shell anr_data_file:dir r_dir_perms;
 allow shell anr_data_file:file r_file_perms;
@@ -82,6 +86,8 @@ allow shell servicemanager:service_manager list;
 allow shell { service_manager_type -gatekeeper_service }:service_manager find;
 
 # allow shell to look through /proc/ for ps, top
+r_dir_file(shell, proc)
+r_dir_file(shell, cgroup)
 allow shell domain:dir { search open read getattr };
 allow shell domain:{ file lnk_file } { open read getattr };
 
-- 
GitLab