From 9e6effa15f17e7951ad63ddd01fd22c1a42be616 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Wed, 7 Oct 2015 16:44:15 -0700
Subject: [PATCH] delete procrank SELinux domain.

Simplify SELinux policy by deleting the procrank SELinux domain.
procrank only exists on userdebug/eng builds, and anyone wanting
to run procrank can just su to root.

Bug: 18342188
Change-Id: I71adc86a137c21f170d983e320ab55be79457c16
---
 domain.te     |  3 +--
 file_contexts |  1 -
 procrank.te   | 17 -----------------
 3 files changed, 1 insertion(+), 20 deletions(-)
 delete mode 100644 procrank.te

diff --git a/domain.te b/domain.te
index 7d13e3659..34aa48f55 100644
--- a/domain.te
+++ b/domain.te
@@ -179,7 +179,6 @@ neverallow {
   -vold
   -dumpstate
   -system_server
-  userdebug_or_eng(`-procrank')
   userdebug_or_eng(`-perfprofd')
 } self:capability sys_ptrace;
 
@@ -524,7 +523,7 @@ neverallow {
   -appdomain
   -dumpstate
   -installd
-  userdebug_or_eng(`-uncrypt -procrank')
+  userdebug_or_eng(`-uncrypt')
 } shell_data_file:file open;
 
 # servicemanager is the only process which handles list request
diff --git a/file_contexts b/file_contexts
index 69a59548a..6b7f85192 100644
--- a/file_contexts
+++ b/file_contexts
@@ -179,7 +179,6 @@
 /system/bin/tf_daemon	u:object_r:tee_exec:s0
 /system/bin/racoon	u:object_r:racoon_exec:s0
 /system/xbin/su		u:object_r:su_exec:s0
-/system/xbin/procrank   u:object_r:procrank_exec:s0
 /system/xbin/perfprofd  u:object_r:perfprofd_exec:s0
 /system/vendor/bin/gpsd u:object_r:gpsd_exec:s0
 /system/bin/dnsmasq     u:object_r:dnsmasq_exec:s0
diff --git a/procrank.te b/procrank.te
deleted file mode 100644
index 1aaaad092..000000000
--- a/procrank.te
+++ /dev/null
@@ -1,17 +0,0 @@
-# File types must be defined for file_contexts.
-type procrank_exec, exec_type, file_type;
-
-userdebug_or_eng(`
-  type procrank, domain, mlstrustedsubject;
-
-  domain_auto_trans(shell, procrank_exec, procrank)
-  domain_auto_trans(dumpstate, procrank_exec, procrank)
-  allow procrank self:capability sys_ptrace;
-  allow procrank devpts:chr_file { read write getattr ioctl };
-  allow procrank dumpstate:unix_stream_socket { read write getattr };
-  r_dir_file(procrank, domain)
-  allow procrank { shell dumpstate }:fd use;
-  allow procrank adbd:process sigchld;
-  # allow procrank write to bugreport.
-  allow procrank shell_data_file:file w_file_perms;
-')
-- 
GitLab