From ca5bb3371d01f5eb084046918d54bd34a4cbba2b Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Wed, 5 Jul 2017 22:17:46 -0700
Subject: [PATCH] domain_deprecated: remove tmpfs dir access

Address "granted" audit messages for dumpstate use of df.

avc: granted { getattr } for comm="df" path="/mnt" dev="tmpfs"
scontext=u:r:dumpstate:s0 tcontext=u:object_r:tmpfs:s0
tclass=dir
avc: granted { search } for comm="df" name="/" dev="tmpfs"
scontext=u:r:dumpstate:s0 tcontext=u:object_r:tmpfs:s0
tclass=dir

Bug: 28760354
Test: Build, check logs.
Change-Id: I920948a5f0bce1b4bd2f15779730df8b3b1fea5a
---
 public/domain_deprecated.te | 16 ----------------
 public/dumpstate.te         |  2 +-
 2 files changed, 1 insertion(+), 17 deletions(-)

diff --git a/public/domain_deprecated.te b/public/domain_deprecated.te
index f5231fbb3..f989ea1e7 100644
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te
@@ -1,21 +1,5 @@
 # rules removed from the domain attribute
 
-# Search /storage/emulated tmpfs mount.
-allow { domain_deprecated -installd } tmpfs:dir r_dir_perms;
-userdebug_or_eng(`
-auditallow {
-  domain_deprecated
-  -appdomain
-  -installd
-  -recovery
-  -sdcardd
-  -surfaceflinger
-  -system_server
-  -vold
-  -zygote
-} tmpfs:dir r_dir_perms;
-')
-
 # Root fs.
 allow domain_deprecated rootfs:dir r_dir_perms;
 allow domain_deprecated rootfs:file r_file_perms;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index ee27cbee7..66eaa1f2c 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -82,7 +82,7 @@ allow dumpstate sysfs_usb:file w_file_perms;
 allow dumpstate qtaguid_proc:file r_file_perms;
 allow dumpstate debugfs:file r_file_perms;
 # df for /storage/emulated needs search
-allow dumpstate { storage_file block_device }:dir { search getattr };
+allow dumpstate { block_device storage_file tmpfs }:dir { search getattr };
 allow dumpstate fuse_device:chr_file getattr;
 allow dumpstate { dm_device cache_block_device }:blk_file getattr;
 
-- 
GitLab