Revert "audit domain_deprecated perms for removal"

This reverts commit 9c820a11.

Bug: 31364540
Change-Id: I98a34bd32dd835e6795d31a90f16f4ccd691e6e5

netd.te

@@ -5,9 +5,6 @@ type netd_exec, exec_type, file_type;
 init_daemon_domain(netd)
 net_domain(netd)
 
-r_dir_file(netd, cgroup)
-allow netd system_server:fd use;
-
 allow netd self:capability { net_admin net_raw kill };
 # Note: fsetid is deliberately not included above. fsetid checks are
 # triggered by chmod on a directory or file owned by a group other
@@ -29,7 +26,7 @@ allow netd system_file:file x_file_perms;
 allow netd devpts:chr_file rw_file_perms;
 
 # For /proc/sys/net/ipv[46]/route/flush.
-allow netd proc_net:file rw_file_perms;
+allow netd proc_net:file write;
 
 # Enables PppController and interface enumeration (among others)
 r_dir_file(netd, sysfs_type)

postinstall_dexopt.te

@@ -39,6 +39,8 @@ allow postinstall_dexopt dalvikcache_data_file:file create_file_perms;
 allow postinstall_dexopt dalvikcache_data_file:dir relabelto;
 allow postinstall_dexopt dalvikcache_data_file:file { relabelto link };
 
+allow postinstall_dexopt selinuxfs:dir r_dir_perms;
+
 # Check validity of SELinux context before use.
 selinux_check_context(postinstall_dexopt)
 selinux_check_access(postinstall_dexopt)

priv_app.te

@@ -82,10 +82,9 @@ allow priv_app fuse_device:chr_file { read write };
 allow priv_app app_fuse_file:dir rw_dir_perms;
 allow priv_app app_fuse_file:file rw_file_perms;
 
-# /sys and /proc access
-r_dir_file(priv_app, sysfs_type)
-r_dir_file(priv_app, proc)
-r_dir_file(priv_app, rootfs)
+# /sys access
+allow priv_app sysfs_zram:dir search;
+allow priv_app sysfs_zram:file r_file_perms;
 
 # access the mac address
 allowxperm priv_app self:udp_socket ioctl SIOCGIFHWADDR;

rild.te

@@ -9,7 +9,6 @@ allow rild kernel:system module_request;
 allow rild self:capability { setpcap setgid setuid net_admin net_raw };
 allow rild alarm_device:chr_file rw_file_perms;
 allow rild cgroup:dir create_dir_perms;
-allow rild cgroup:{ file lnk_file } r_file_perms;
 allow rild radio_device:chr_file rw_file_perms;
 allow rild radio_device:blk_file r_file_perms;
 allow rild mtd_device:dir search;
@@ -43,7 +42,3 @@ allow rild self:netlink_kobject_uevent_socket create_socket_perms;
 wakelock_use(rild)
 
 allow rild self:socket create_socket_perms;
-
-r_dir_file(rild, proc)
-r_dir_file(rild, sysfs_type)
-r_dir_file(rild, system_file)

servicemanager.te

@@ -13,7 +13,5 @@ init_daemon_domain(servicemanager)
 allow servicemanager self:binder set_context_mgr;
 allow servicemanager { domain -init }:binder transfer;
 
-r_dir_file(servicemanager, rootfs)
-
 # Check SELinux permissions.
 selinux_check_access(servicemanager)

surfaceflinger.te

@@ -60,14 +60,6 @@ allow surfaceflinger gpu_service:service_manager { add find };
 allow surfaceflinger surfaceflinger_service:service_manager { add find };
 allow surfaceflinger window_service:service_manager find;
 
-allow surfaceflinger proc_meminfo:file r_file_perms;
-r_dir_file(surfaceflinger, cgroup)
-r_dir_file(surfaceflinger, sysfs_type)
-r_dir_file(surfaceflinger, system_file)
-allow surfaceflinger tmpfs:dir r_dir_perms;
-allow surfaceflinger system_server:fd use;
-allow surfaceflinger ion_device:chr_file r_file_perms;
-
 # allow self to set SCHED_FIFO
 allow surfaceflinger self:capability sys_nice;
 

system_app.te

@@ -72,6 +72,7 @@ allow system_app keystore:keystore_key {
 };
 
 # /sys access
-r_dir_file(system_app, sysfs_type)
+allow system_app sysfs_zram:dir search;
+allow system_app sysfs_zram:file r_file_perms;
 
 control_logd(system_app)

system_server.te

@@ -8,8 +8,8 @@ type system_server, domain, domain_deprecated, mlstrustedsubject;
 tmpfs_domain(system_server)
 
 # For art.
+allow system_server dalvikcache_data_file:file execute;
 allow system_server dalvikcache_data_file:dir r_dir_perms;
-allow system_server dalvikcache_data_file:file { r_file_perms execute };
 
 # Enable system server to check the foreign dex usage markers.
 # We need search on top level directories so that we can get to the files
@@ -229,7 +229,7 @@ allow system_server keychain_data_file:lnk_file create_file_perms;
 
 # Manage /data/app.
 allow system_server apk_data_file:dir create_dir_perms;
-allow system_server apk_data_file:{ file lnk_file } { create_file_perms link };
+allow system_server apk_data_file:file { create_file_perms link };
 allow system_server apk_tmp_file:dir create_dir_perms;
 allow system_server apk_tmp_file:file create_file_perms;
 
@@ -372,9 +372,7 @@ allow system_server { cache_file cache_recovery_file }:file { relabelfrom create
 allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms;
 
 # Run system programs, e.g. dexopt. Needed? (b/28035297)
-allow system_server system_file:file rx_file_perms;
-allow system_server system_file:dir r_dir_perms;
-allow system_server system_file:lnk_file r_file_perms;
+allow system_server system_file:file x_file_perms;
 auditallow system_server system_file:file execute_no_trans;
 
 # LocationManager(e.g, GPS) needs to read and write
@@ -544,16 +542,6 @@ allow system_server update_engine:fifo_file write;
 allow system_server preloads_data_file:file { r_file_perms unlink };
 allow system_server preloads_data_file:dir { r_dir_perms write remove_name rmdir };
 
-r_dir_file(system_server, cgroup)
-allow system_server ion_device:chr_file r_file_perms;
-
-r_dir_file(system_server, proc)
-r_dir_file(system_server, proc_meminfo)
-r_dir_file(system_server, proc_net)
-r_dir_file(system_server, rootfs)
-r_dir_file(system_server, sysfs_type)
-
-
 ###
 ### Neverallow rules
 ###

te_macros

@@ -78,7 +78,6 @@ define(`tmpfs_domain', `
 type $1_tmpfs, file_type;
 type_transition $1 tmpfs:file $1_tmpfs;
 allow $1 $1_tmpfs:file { read write };
-allow $1 tmpfs:dir { getattr search };
 ')
 
 #####################################
@@ -234,8 +233,7 @@ allow $1 self:capability2 block_suspend;
 # selinux_check_access(domain)
 # Allow domain to check SELinux permissions via selinuxfs.
 define(`selinux_check_access', `
-r_dir_file($1, selinuxfs)
-allow $1 selinuxfs:file w_file_perms;
+allow $1 selinuxfs:file rw_file_perms;
 allow $1 kernel:security compute_av;
 allow $1 self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind };
 ')
@@ -244,8 +242,7 @@ allow $1 self:netlink_selinux_socket { read write create getattr setattr lock re
 # selinux_check_context(domain)
 # Allow domain to check SELinux contexts via selinuxfs.
 define(`selinux_check_context', `
-r_dir_file($1, selinuxfs)
-allow $1 selinuxfs:file w_file_perms;
+allow $1 selinuxfs:file rw_file_perms;
 allow $1 kernel:security check_context;
 ')
 
@@ -253,8 +250,7 @@ allow $1 kernel:security check_context;
 # selinux_setenforce(domain)
 # Allow domain to set SELinux to enforcing.
 define(`selinux_setenforce', `
-r_dir_file($1, selinuxfs)
-allow $1 selinuxfs:file w_file_perms;
+allow $1 selinuxfs:file rw_file_perms;
 allow $1 kernel:security setenforce;
 ')
 
@@ -262,8 +258,7 @@ allow $1 kernel:security setenforce;
 # selinux_setbool(domain)
 # Allow domain to set SELinux booleans.
 define(`selinux_setbool', `
-r_dir_file($1, selinuxfs)
-allow $1 selinuxfs:file w_file_perms;
+allow $1 selinuxfs:file rw_file_perms;
 allow $1 kernel:security setbool;
 ')
 

tee.te

@@ -13,7 +13,3 @@ allow tee tee_data_file:dir rw_dir_perms;
 allow tee tee_data_file:file create_file_perms;
 allow tee self:netlink_socket create_socket_perms;
 allow tee self:netlink_generic_socket create_socket_perms;
-allow tee ion_device:chr_file r_file_perms;
-r_dir_file(tee, sysfs_type)
-allow tee system_data_file:file { getattr read };
-allow tee system_data_file:lnk_file r_file_perms;

ueventd.te

@@ -9,10 +9,8 @@ allow ueventd kmsg_device:chr_file rw_file_perms;
 allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
 allow ueventd device:file create_file_perms;
 allow ueventd device:chr_file rw_file_perms;
-r_dir_file(ueventd, sysfs_type)
-r_dir_file(ueventd, rootfs)
-allow ueventd sysfs:file w_file_perms;
-allow ueventd sysfs_usb:file w_file_perms;
+allow ueventd sysfs:file rw_file_perms;
+allow ueventd sysfs_usb:file rw_file_perms;
 allow ueventd sysfs_hwrandom:file w_file_perms;
 allow ueventd sysfs_zram_uevent:file w_file_perms;
 allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr getattr };
@@ -27,9 +25,6 @@ allow ueventd self:netlink_kobject_uevent_socket create_socket_perms;
 allow ueventd efs_file:dir search;
 allow ueventd efs_file:file r_file_perms;
 
-# Get SELinux enforcing status.
-r_dir_file(ueventd, selinuxfs)
-
 # Use setfscreatecon() to label /dev directories and files.
 allow ueventd self:process setfscreate;
 

untrusted_app.te

@@ -90,6 +90,9 @@ userdebug_or_eng(`
 # gdbserver for ndk-gdb ptrace attaches to app process.
 allow untrusted_app self:process ptrace;
 
+# access /proc/net/xt_qtguid/stats
+r_dir_file(untrusted_app, proc_net)
+
 # Cts: HwRngTest
 allow untrusted_app sysfs_hwrandom:dir search;
 allow untrusted_app sysfs_hwrandom:file r_file_perms;

vold.te

@@ -16,18 +16,8 @@ allow vold cache_file:lnk_file r_file_perms;
 # Read access to pseudo filesystems.
 r_dir_file(vold, proc)
 r_dir_file(vold, proc_net)
-r_dir_file(vold, sysfs_type)
-# XXX Label sysfs files with a specific type?
-allow vold sysfs:file rw_file_perms;
-
-# TODO: added to match above sysfs rule. Remove me?
-allow vold sysfs_usb:file w_file_perms;
-
-# coldboot of /sys/block
-allow vold sysfs_zram_uevent:file rw_file_perms;
-
+r_dir_file(vold, sysfs)
 r_dir_file(vold, rootfs)
-allow vold proc_meminfo:file r_file_perms;
 
 # For a handful of probing tools, we choose an even more restrictive
 # domain when working with untrusted block devices
@@ -97,6 +87,9 @@ allow vold domain:{ file lnk_file } r_file_perms;
 allow vold domain:process { signal sigkill };
 allow vold self:capability { sys_ptrace kill };
 
+# XXX Label sysfs files with a specific type?
+allow vold sysfs:file rw_file_perms;
+
 allow vold kmsg_device:chr_file rw_file_perms;
 
 # Run fsck in the fsck domain.
@@ -106,8 +99,6 @@ allow vold fsck_exec:file { r_file_perms execute };
 allow vold fscklogs:dir rw_dir_perms;
 allow vold fscklogs:file create_file_perms;
 
-allow vold ion_device:chr_file r_file_perms;
-
 #
 # Rules to support encrypted fs support.
 #
@@ -186,6 +177,10 @@ allow vold fuse:filesystem { relabelfrom };
 allow vold app_fusefs:filesystem { relabelfrom relabelto };
 allow vold app_fusefs:filesystem { mount unmount };
 
+# coldboot of /sys/block
+allow vold sysfs_zram:dir r_dir_perms;
+allow vold sysfs_zram_uevent:file rw_file_perms;
+
 # MoveTask.cpp executes cp and rm
 allow vold toolbox_exec:file rx_file_perms;
 

wpa.te

@@ -6,9 +6,6 @@ init_daemon_domain(wpa)
 
 net_domain(wpa)
 
-r_dir_file(wpa, sysfs_type)
-r_dir_file(wpa, proc_net)
-
 allow wpa kernel:system module_request;
 allow wpa self:capability { setuid net_admin setgid net_raw };
 allow wpa cgroup:dir create_dir_perms;

zygote.te

@@ -38,7 +38,6 @@ allow zygote idmap_exec:file rx_file_perms;
 allow zygote dex2oat_exec:file rx_file_perms;
 # Control cgroups.
 allow zygote cgroup:dir create_dir_perms;
-allow zygote cgroup:{ file lnk_file } r_file_perms;
 allow zygote self:capability sys_admin;
 # Allow zygote to stat the files that it opens. The zygote must
 # be able to inspect them so that it can reopen them on fork
@@ -74,10 +73,11 @@ allow zygote zygote_exec:file rx_file_perms;
 r_dir_file(zygote, proc_net)
 
 # Root fs.
-r_dir_file(zygote, rootfs)
+allow zygote rootfs:file r_file_perms;
 
 # System file accesses.
-r_dir_file(zygote, system_file)
+allow zygote system_file:dir r_dir_perms;
+allow zygote system_file:file r_file_perms;
 
 userdebug_or_eng(`
   # Allow zygote to create and write method traces in /data/misc/trace.
@@ -85,9 +85,6 @@ userdebug_or_eng(`
   allow zygote method_trace_data_file:file { create w_file_perms };
 ')
 
-allow zygote ion_device:chr_file r_file_perms;
-allow zygote tmpfs:dir r_dir_perms;
-
 ###
 ### neverallow rules
 ###