Revert "audit domain_deprecated perms for removal"

This reverts commit 9c820a11.

Bug: 31364540
Change-Id: I98a34bd32dd835e6795d31a90f16f4ccd691e6e5

app.te

@@ -57,7 +57,6 @@ allow appdomain adbd:process sigchld;
 allow appdomain devpts:chr_file { getattr read write ioctl };
 
 # Use pipes and sockets provided by system_server via binder or local socket.
-allow appdomain system_server:fd use;
 allow appdomain system_server:fifo_file rw_file_perms;
 allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
 allow appdomain system_server:tcp_socket { read write getattr getopt shutdown };
@@ -138,8 +137,6 @@ userdebug_or_eng(`
 
 # Write to /proc/net/xt_qtaguid/ctrl file.
 allow appdomain qtaguid_proc:file rw_file_perms;
-# read /proc/net/xt_qtguid/stats
-r_dir_file(appdomain, proc_net)
 # Everybody can read the xt_qtaguid resource tracking misc dev.
 # So allow all apps to read from /dev/xt_qtaguid.
 allow appdomain qtaguid_device:chr_file r_file_perms;
@@ -167,8 +164,7 @@ allow appdomain backup_data_file:file { read write getattr };
 allow appdomain cache_backup_file:file { read write getattr };
 allow appdomain cache_backup_file:dir getattr;
 # Backup ability using 'adb backup'
-allow appdomain system_data_file:lnk_file r_file_perms;
-allow appdomain system_data_file:file { getattr read };
+allow appdomain system_data_file:lnk_file getattr;
 
 # Allow read/stat of /data/media files passed by Binder or local socket IPC.
 allow appdomain media_rw_data_file:file { read getattr };
@@ -235,8 +231,6 @@ allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket }
   ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
 
 allow { appdomain -isolated_app } ion_device:chr_file rw_file_perms;
-# TODO is write really necessary ?
-auditallow { appdomain -isolated_app } ion_device:chr_file { write append };
 
 # TODO: switch to meminfo service
 allow appdomain proc_meminfo:file r_file_perms;

bluetooth.te

@@ -19,7 +19,6 @@ r_dir_file(bluetooth, bluetooth_efs_file)
 allow bluetooth { uhid_device hci_attach_dev }:chr_file rw_file_perms;
 
 # sysfs access.
-r_dir_file(bluetooth, sysfs_type)
 allow bluetooth sysfs_bluetooth_writable:file rw_file_perms;
 allow bluetooth self:capability net_admin;
 allow bluetooth self:capability2 wake_alarm;

clatd.te

@@ -4,8 +4,6 @@ type clatd_exec, exec_type, file_type;
 
 net_domain(clatd)
 
-r_dir_file(clatd, proc_net)
-
 # Access objects inherited from netd.
 allow clatd netd:fd use;
 allow clatd netd:fifo_file { read write };

debuggerd.te

@@ -58,7 +58,3 @@ read_logd(debuggerd)
 
 # Check SELinux permissions.
 selinux_check_access(debuggerd)
-
-# Read /data/dalvik-cache.
-allow debuggerd dalvikcache_data_file:dir { search getattr };
-allow debuggerd dalvikcache_data_file:file r_file_perms;

dex2oat.te

@@ -2,11 +2,6 @@
 type dex2oat, domain, domain_deprecated;
 type dex2oat_exec, exec_type, file_type;
 
-r_dir_file(dex2oat, apk_data_file)
-
-allow dex2oat tmpfs:file { read getattr };
-
-r_dir_file(dex2oat, dalvikcache_data_file)
 allow dex2oat dalvikcache_data_file:file write;
 # Read symlinks in /data/dalvik-cache. This is required for PIC mode boot images, where
 # the oat file is symlinked to the original file in /system.

domain_deprecated.te

 # rules removed from the domain attribute
 
 # Read access to properties mapping.
-allow { domain_deprecated -init } kernel:fd use;
+allow domain_deprecated kernel:fd use;
 allow domain_deprecated tmpfs:file { read getattr };
 allow domain_deprecated tmpfs:lnk_file { read getattr };
-auditallow domain_deprecated kernel:fd use;
-auditallow { domain_deprecated -dex2oat } tmpfs:file { read getattr };
-auditallow domain_deprecated tmpfs:lnk_file { read getattr };
 
 # Search /storage/emulated tmpfs mount.
 allow domain_deprecated tmpfs:dir r_dir_perms;
-auditallow { domain_deprecated -appdomain -init -sdcardd -surfaceflinger -system_server -vold -zygote } tmpfs:dir r_dir_perms;
 
 # Inherit or receive open files from others.
 allow domain_deprecated system_server:fd use;
-auditallow { domain_deprecated -appdomain -mediaextractor -mediaserver -netd -surfaceflinger } system_server:fd use;
 
 # Connect to adbd and use a socket transferred from it.
 # This is used for e.g. adb backup/restore.
 allow domain_deprecated adbd:unix_stream_socket connectto;
 allow domain_deprecated adbd:fd use;
 allow domain_deprecated adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
-auditallow { domain_deprecated -appdomain -system_server } adbd:unix_stream_socket connectto;
-auditallow { domain_deprecated -appdomain -system_server } adbd:fd use;
-auditallow { domain_deprecated -appdomain -system_server } adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
 
 # Root fs.
 allow domain_deprecated rootfs:dir r_dir_perms;
 allow domain_deprecated rootfs:file r_file_perms;
 allow domain_deprecated rootfs:lnk_file r_file_perms;
-auditallow { domain_deprecated -healthd -init -installd -kernel -priv_app -servicemanager -system_server -ueventd -vold -zygote } rootfs:dir { open getattr read ioctl lock }; # search granted in domain
-auditallow { domain_deprecated -healthd -init -installd -kernel -priv_app -servicemanager -system_server -ueventd -vold -zygote } rootfs:file r_file_perms;
-auditallow { domain_deprecated -appdomain -healthd -init -installd -kernel -priv_app -servicemanager -system_server -ueventd -vold -zygote } rootfs:lnk_file { getattr open ioctl lock }; # read granted in domain
 
 # Device accesses.
 allow domain_deprecated device:file read;
-auditallow domain_deprecated device:file read;
 
 # System file accesses.
 allow domain_deprecated system_file:dir r_dir_perms;
 allow domain_deprecated system_file:file r_file_perms;
 allow domain_deprecated system_file:lnk_file r_file_perms;
-auditallow { domain_deprecated -appdomain -drmserver -init -rild -surfaceflinger -system_server -zygote } system_file:dir { open read ioctl lock }; # search getattr in domain
-auditallow { domain_deprecated -appdomain -drmserver -init -rild -surfaceflinger -system_server -zygote } system_file:file { ioctl lock }; # read open getattr in domain
-auditallow { domain_deprecated -appdomain -drmserver -init -rild -surfaceflinger -system_server -zygote } system_file:lnk_file { getattr open ioctl lock }; # read in domain
 
 # Read files already opened under /data.
 allow domain_deprecated system_data_file:file { getattr read };
 allow domain_deprecated system_data_file:lnk_file r_file_perms;
-auditallow { domain_deprecated -appdomain -init -logd -sdcardd -system_server -tee } system_data_file:file { getattr read };
-auditallow { domain_deprecated -appdomain -init -logd -system_server -tee } system_data_file:lnk_file r_file_perms;
 
 # Read apk files under /data/app.
 allow domain_deprecated apk_data_file:dir { getattr search };
 allow domain_deprecated apk_data_file:file r_file_perms;
 allow domain_deprecated apk_data_file:lnk_file r_file_perms;
-auditallow { domain_deprecated -appdomain -dex2oat -init -installd -system_server } apk_data_file:dir { getattr search };
-auditallow { domain_deprecated -appdomain -dex2oat -installd -system_server } apk_data_file:file r_file_perms;
-auditallow { domain_deprecated -appdomain -dex2oat -installd -system_server } apk_data_file:lnk_file r_file_perms;
 
 # Read /data/dalvik-cache.
 allow domain_deprecated dalvikcache_data_file:dir { search getattr };
 allow domain_deprecated dalvikcache_data_file:file r_file_perms;
-auditallow { domain_deprecated -appdomain -debuggerd -dex2oat -init -installd -system_server -zygote } dalvikcache_data_file:dir { search getattr };
-auditallow { domain_deprecated -appdomain -debuggerd -dex2oat -installd -system_server -zygote } dalvikcache_data_file:file r_file_perms;
 
 # Read already opened /cache files.
 allow domain_deprecated cache_file:dir r_dir_perms;
 allow domain_deprecated cache_file:file { getattr read };
 allow domain_deprecated cache_file:lnk_file r_file_perms;
-auditallow { domain_deprecated -init -priv_app -system_server -vold } cache_file:dir { open read search ioctl lock };
-auditallow { domain_deprecated -appdomain -init -priv_app -system_server -vold } cache_file:dir getattr;
-auditallow { domain_deprecated -init -priv_app -system_server -vold } cache_file:file { getattr read };
-auditallow { domain_deprecated -init -system_server -vold } cache_file:lnk_file r_file_perms;
 
 #Allow access to ion memory allocation device
 allow domain_deprecated ion_device:chr_file rw_file_perms;
-# split this auditallow into read and write perms since most domains seem to
-# only require read
-auditallow { domain_deprecated -appdomain -fingerprintd -gatekeeperd -keystore -mediaserver -surfaceflinger -system_server -tee -vold -zygote } ion_device:chr_file r_file_perms;
-auditallow domain_deprecated ion_device:chr_file { write append };
 
 # Read access to pseudo filesystems.
 r_dir_file(domain_deprecated, proc)
@@ -88,28 +58,11 @@ r_dir_file(domain_deprecated, inotify)
 r_dir_file(domain_deprecated, cgroup)
 allow domain_deprecated proc_meminfo:file r_file_perms;
 r_dir_file(domain_deprecated, proc_net)
-#auditallow domain_deprecated proc:dir r_dir_perms; # r_dir_perms granted in domain
-auditallow { domain_deprecated -fsck -fsck_untrusted -init -logd -priv_app -rild -system_server -vold } proc:file r_file_perms;
-auditallow { domain_deprecated -fsck -fsck_untrusted -init -logd -priv_app -rild -system_server -vold } proc:lnk_file { open ioctl lock }; # getattr read granted in domain
-auditallow { domain_deprecated -bluetooth -fingerprintd -healthd -init -netd -priv_app -rild -system_app -surfaceflinger -system_server -tee -ueventd -vold -wpa } sysfs:dir { open getattr read ioctl lock }; # search granted in domain
-auditallow { domain_deprecated -bluetooth -fingerprintd -healthd -init -netd -priv_app -rild -system_app -surfaceflinger -system_server -tee -ueventd -vold -wpa } sysfs:file r_file_perms;
-auditallow { domain_deprecated -bluetooth -fingerprintd -healthd -init -netd -priv_app -rild -system_app -surfaceflinger -system_server -tee -ueventd -vold -wpa } sysfs:lnk_file { getattr open ioctl lock }; # read granted in domain
-auditallow domain_deprecated inotify:dir r_dir_perms;
-auditallow domain_deprecated inotify:{ file lnk_file } r_file_perms;
-auditallow { domain_deprecated -appdomain -drmserver -fingerprintd -gatekeeperd -healthd -init -inputflinger -installd -keystore -logd -mediaextractor -mediaserver -netd -rild -surfaceflinger -system_server -zygote } cgroup:dir r_dir_perms;
-auditallow { domain_deprecated -appdomain -drmserver -fingerprintd -gatekeeperd -healthd -init -inputflinger -installd -keystore -logd -mediaextractor -mediaserver -netd -rild -surfaceflinger -system_server -zygote } cgroup:{ file lnk_file } r_file_perms;
-auditallow { domain_deprecated -appdomain -init -logd -priv_app -surfaceflinger -system_server -vold } proc_meminfo:file r_file_perms;
-auditallow { domain_deprecated -appdomain -clatd -init -logd -netd -system_server -vold -wpa -zygote } proc_net:dir { open getattr read ioctl lock }; # search granted in domain
-auditallow { domain_deprecated -appdomain -clatd -init -logd -netd -system_server -vold -wpa -zygote } proc_net:{ file lnk_file } r_file_perms;
 
 # Get SELinux enforcing status.
 allow domain_deprecated selinuxfs:dir r_dir_perms;
 allow domain_deprecated selinuxfs:file r_file_perms;
-auditallow { domain_deprecated -appdomain -debuggerd -drmserver -init -installd -kernel -keystore -postinstall_dexopt -runas -servicemanager -system_server -ueventd -zygote } selinuxfs:dir { open getattr read ioctl lock }; # search granted in domain
-auditallow { domain_deprecated -appdomain -debuggerd -drmserver -init -installd -kernel -keystore -postinstall_dexopt -runas -servicemanager -system_server -ueventd -zygote } selinuxfs:file { open read ioctl lock }; # getattr granted in domain
 
 # World readable asec image contents
 allow domain_deprecated asec_public_file:file r_file_perms;
 allow domain_deprecated { asec_public_file asec_apk_file }:dir r_dir_perms;
-auditallow domain_deprecated asec_public_file:file r_file_perms;
-auditallow domain_deprecated { asec_public_file asec_apk_file }:dir r_dir_perms;

drmserver.te

@@ -54,6 +54,3 @@ allow drmserver drmserver_service:service_manager { add find };
 allow drmserver permission_service:service_manager find;
 
 selinux_check_access(drmserver)
-
-r_dir_file(drmserver, cgroup)
-r_dir_file(drmserver, system_file)

fingerprintd.te

@@ -21,7 +21,3 @@ allow fingerprintd keystore:keystore_key { add_auth };
 # For permissions checking
 binder_call(fingerprintd, system_server);
 allow fingerprintd permission_service:service_manager find;
-
-r_dir_file(fingerprintd, cgroup)
-r_dir_file(fingerprintd, sysfs_type)
-allow fingerprintd ion_device:chr_file r_file_perms;

fsck.te

@@ -25,8 +25,6 @@ allow fsck dm_device:blk_file rw_file_perms;
 # swap device before setting the EXT2_MF_SWAP mount flag.
 allow fsck swap_block_device:blk_file getattr;
 
-r_dir_file(fsck, proc)
-
 ###
 ### neverallow rules
 ###

fsck_untrusted.te

@@ -12,8 +12,6 @@ allow fsck_untrusted vold:fifo_file { read write getattr };
 allow fsck_untrusted block_device:dir search;
 allow fsck_untrusted vold_device:blk_file rw_file_perms;
 
-r_dir_file(fsck_untrusted, proc)
-
 ###
 ### neverallow rules
 ###

gatekeeperd.te

@@ -6,7 +6,6 @@ init_daemon_domain(gatekeeperd)
 binder_service(gatekeeperd)
 binder_use(gatekeeperd)
 allow gatekeeperd tee_device:chr_file rw_file_perms;
-allow gatekeeperd ion_device:chr_file r_file_perms;
 
 # need to find KeyStore and add self
 allow gatekeeperd gatekeeper_service:service_manager { add find };
@@ -28,6 +27,4 @@ allow gatekeeperd gatekeeper_data_file:file create_file_perms;
 # For hardware properties retrieval
 allow gatekeeperd hardware_properties_service:service_manager find;
 
-r_dir_file(gatekeeperd, cgroup)
-
 neverallow { domain -gatekeeperd } gatekeeper_service:service_manager add;

healthd.te

@@ -6,8 +6,7 @@ type healthd, domain, domain_deprecated;
 allow healthd kmsg_device:chr_file rw_file_perms;
 
 # Read access to pseudo filesystems.
-r_dir_file(healthd, sysfs_type)
-r_dir_file(healthd, rootfs)
+r_dir_file(healthd, sysfs)
 
 allow healthd self:capability { net_admin sys_tty_config };
 wakelock_use(healthd)
@@ -25,9 +24,6 @@ allow healthd sysfs_usb:file write;
 
 allow healthd sysfs_batteryinfo:file r_file_perms;
 
-r_dir_file(healthd, cgroup)
-r_dir_file(healthd, sysfs_type)
-
 ###
 ### healthd: charger mode
 ###

init.te

@@ -26,8 +26,6 @@ allow init tmpfs:blk_file getattr;
 allow init block_device:{ dir blk_file } relabelto;
 allow init dm_device:{ chr_file blk_file } relabelto;
 
-allow init kernel:fd use;
-
 # setrlimit
 allow init self:capability sys_resource;
 
@@ -69,7 +67,6 @@ allow init sysfs:dir mounton;
 allow init tmpfs:dir create_dir_perms;
 allow init tmpfs:dir mounton;
 allow init cgroup:dir create_dir_perms;
-r_dir_file(init, cgroup)
 allow init cpuctl_device:dir { create mounton };
 
 # /config
@@ -200,11 +197,9 @@ allow init usermodehelper:file rw_file_perms;
 allow init proc_security:file rw_file_perms;
 
 # Write to /proc/sys/kernel/panic_on_oops.
-r_dir_file(init, proc)
 allow init proc:file w_file_perms;
 
 # Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
-r_dir_file(init, proc_net)
 allow init proc_net:file w_file_perms;
 allow init self:capability net_admin;
 
@@ -220,7 +215,10 @@ allow init self:capability sys_boot;
 # Write to sysfs nodes.
 allow init sysfs_type:dir r_dir_perms;
 allow init sysfs_type:lnk_file read;
-allow init sysfs_type:file rw_file_perms;
+allow init sysfs_type:file w_file_perms;
+
+# disksize
+allow init sysfs_zram:file getattr;
 
 # Transitions to seclabel processes in init.rc
 domain_trans(init, rootfs, adbd)
@@ -349,15 +347,6 @@ unix_socket_connect(init, vold, vold)
 # Raw writes to misc block device
 allow init misc_block_device:blk_file w_file_perms;
 
-allow init apk_data_file:dir { getattr search };
-allow init dalvikcache_data_file:dir { search getattr };
-r_dir_file(init, system_file)
-allow init proc_meminfo:file r_file_perms;
-
-allow init system_data_file:file { getattr read };
-allow init system_data_file:lnk_file r_file_perms;
-
-
 ###
 ### neverallow rules
 ###

inputflinger.te

@@ -13,5 +13,3 @@ wakelock_use(inputflinger)
 allow inputflinger inputflinger_service:service_manager { add find };
 allow inputflinger input_device:dir r_dir_perms;
 allow inputflinger input_device:chr_file rw_file_perms;
-
-r_dir_file(inputflinger, cgroup)

installd.te

@@ -13,7 +13,7 @@ allow installd dalvikcache_data_file:file { relabelto link };
 # Allow movement of APK files between volumes
 allow installd apk_data_file:dir { create_dir_perms relabelfrom };
 allow installd apk_data_file:file { create_file_perms relabelfrom link };
-allow installd apk_data_file:lnk_file { create r_file_perms unlink };
+allow installd apk_data_file:lnk_file { create read unlink };
 
 allow installd asec_apk_file:file r_file_perms;
 allow installd apk_tmp_file:file { r_file_perms unlink };
@@ -21,13 +21,10 @@ allow installd apk_tmp_file:dir { relabelfrom create_dir_perms };
 allow installd oemfs:dir r_dir_perms;
 allow installd oemfs:file r_file_perms;
 allow installd cgroup:dir create_dir_perms;
-allow installd cgroup:{ file lnk_file } create_file_perms;
 allow installd mnt_expand_file:dir { search getattr };
 # Check validity of SELinux context before use.
 selinux_check_context(installd)
 
-r_dir_file(installd, rootfs)
-
 # Search /data/app-asec and stat files in it.
 allow installd asec_image_file:dir search;
 allow installd asec_image_file:file getattr;

kernel.te

@@ -4,7 +4,9 @@ type kernel, domain, domain_deprecated, mlstrustedsubject;
 allow kernel self:capability sys_nice;
 
 # Root fs.
-r_dir_file(kernel, rootfs)
+allow kernel rootfs:dir r_dir_perms;
+allow kernel rootfs:file r_file_perms;
+allow kernel rootfs:lnk_file r_file_perms;
 
 # Get SELinux enforcing status.
 allow kernel selinuxfs:dir r_dir_perms;

keystore.te

@@ -19,9 +19,6 @@ allow keystore sec_key_att_app_id_provider_service:service_manager find;
 # Check SELinux permissions.
 selinux_check_access(keystore)
 
-allow keystore ion_device:chr_file r_file_perms;
-r_dir_file(keystore, cgroup)
-
 ###
 ### Neverallow rules
 ###

logd.te

@@ -5,9 +5,7 @@ type logd_exec, exec_type, file_type;
 init_daemon_domain(logd)
 
 # Read access to pseudo filesystems.
-r_dir_file(logd, cgroup)
 r_dir_file(logd, proc)
-r_dir_file(logd, proc_meminfo)
 r_dir_file(logd, proc_net)
 
 allow logd self:capability { setuid setgid setpcap sys_nice audit_control };
@@ -15,7 +13,7 @@ allow logd self:capability2 syslog;
 allow logd self:netlink_audit_socket { create_socket_perms nlmsg_write };
 allow logd kernel:system syslog_read;
 allow logd kmsg_device:chr_file w_file_perms;
-allow logd system_data_file:{ file lnk_file } r_file_perms;
+allow logd system_data_file:file r_file_perms;
 # logpersist is only allowed on userdebug and eng builds
 userdebug_or_eng(`
   allow logd misc_logd_file:file create_file_perms;

mediaextractor.te

@@ -13,10 +13,6 @@ binder_service(mediaextractor)
 
 allow mediaextractor mediaextractor_service:service_manager add;
 
-allow mediaextractor system_server:fd use;
-
-r_dir_file(mediaextractor, cgroup)
-
 ###
 ### neverallow rules
 ###

mediaserver.te

@@ -8,7 +8,6 @@ net_domain(mediaserver)
 init_daemon_domain(mediaserver)
 
 r_dir_file(mediaserver, sdcard_type)
-r_dir_file(mediaextractor, cgroup)
 
 # stat /proc/self
 allow mediaserver proc:lnk_file getattr;
@@ -124,9 +123,6 @@ allow mediaserver media_rw_data_file:file create_file_perms;
 # Access to /data/preloads
 allow mediaserver preloads_data_file:file { getattr read ioctl };
 
-allow mediaserver ion_device:chr_file r_file_perms;
-allow mediaserver system_server:fd use;
-
 ###
 ### neverallow rules
 ###