From 979adffd45914bd7b357c404437c64bb59bec51a Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Wed, 12 Aug 2015 17:01:57 -0700
Subject: [PATCH] eliminate some anr_data_file permissions.

Init is now responsible for creating /data/anr, so it's
unnecessary to grant system_server and dumpstate permissions
to relabel this directory. Remove the excess permissions.

Leave system_data_file relabelfrom, since it's possible we're
still using it somewhere.

See commits:
  https://android-review.googlesource.com/161650
  https://android-review.googlesource.com/161477
  https://android-review.googlesource.com/161638

Bug: 22385254
Change-Id: I1fd226491f54d76ff51b03d4b91e7adc8d509df9
---
 dumpstate.te     | 3 +--
 system_server.te | 5 +++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/dumpstate.te b/dumpstate.te
index 584b1406f..f2aab81b4 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -24,9 +24,8 @@ allow dumpstate system_file:file execute_no_trans;
 
 # Create and write into /data/anr/
 allow dumpstate self:capability { dac_override chown fowner fsetid };
-allow dumpstate anr_data_file:dir { rw_dir_perms relabelto };
+allow dumpstate anr_data_file:dir rw_dir_perms;
 allow dumpstate anr_data_file:file create_file_perms;
-allow dumpstate system_data_file:dir { create_dir_perms relabelfrom };
 
 # Allow reading /data/system/uiderrors.txt
 # TODO: scope this down.
diff --git a/system_server.te b/system_server.te
index 4b16d46d5..269d6ee05 100644
--- a/system_server.te
+++ b/system_server.te
@@ -269,9 +269,10 @@ allow system_server system_data_file:file relabelfrom;
 allow system_server wallpaper_file:file relabelto;
 allow system_server wallpaper_file:file { rw_file_perms unlink };
 
-# Relabel /data/anr.
+# This was originally required for relabeling /data/anr,
+# but should not be used anymore. TODO: remove it.
 allow system_server system_data_file:dir relabelfrom;
-allow system_server anr_data_file:dir relabelto;
+auditallow system_server system_data_file:dir relabelfrom;
 
 # Property Service write
 set_prop(system_server, system_prop)
-- 
GitLab