From cb23ca92f303fca6bb0f48a1beb384e220afe39e Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Thu, 29 May 2014 16:37:13 -0400
Subject: [PATCH] Remove domain unlabeled access.

https://android-review.googlesource.com/#/c/95900/ added
allow rules for unlabeled access as needed to all confined
domains.  Therefore we can remove it from domain.  The only
other domain that truly needs unlabeled access is init, which
presently inherits it from unconfineddomain.

Also prevent rules that would permit any confined domain from
creating new unlabeled files on the system.

Change-Id: I31c6478b42fbf60e3b7893b9578b6ad50170def6
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 domain.te | 24 +++---------------------
 1 file changed, 3 insertions(+), 21 deletions(-)

diff --git a/domain.te b/domain.te
index 20869114e..dbe232469 100644
--- a/domain.te
+++ b/domain.te
@@ -143,31 +143,13 @@ allow domain security_file:lnk_file r_file_perms;
 allow domain asec_public_file:file r_file_perms;
 allow domain { asec_public_file asec_apk_file }:dir r_dir_perms;
 
-######## Backwards compatibility - Unlabeled files ############
-
-# Revert to DAC rules when looking at unlabeled files. Over time, the number
-# of unlabeled files should decrease.
-# TODO: delete these rules in the future.
-#
-allow domain unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
-allow domain unlabeled:dir { create_dir_perms relabelfrom };
-auditallow { domain -init -installd -vold -system_server } unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
-auditallow { domain -init -kernel -installd -vold -system_server } unlabeled:dir { create_dir_perms relabelfrom };
-auditallow kernel unlabeled:dir ~search;
-auditallow installd unlabeled:dir ~{ getattr search relabelfrom rw_dir_perms rmdir };
-auditallow installd unlabeled:file ~{ r_file_perms getattr relabelfrom rename unlink setattr };
-auditallow installd unlabeled:{ lnk_file sock_file fifo_file } ~{ getattr relabelfrom rename unlink setattr };
-auditallow vold unlabeled:dir ~{ r_dir_perms setattr relabelfrom };
-auditallow vold unlabeled:file ~{ r_file_perms setattr relabelfrom };
-auditallow vold unlabeled:{ lnk_file sock_file fifo_file } { create_file_perms relabelfrom };
-auditallow system_server unlabeled:dir ~r_dir_perms;
-auditallow system_server unlabeled:file ~r_file_perms;
-auditallow system_server unlabeled:{ lnk_file sock_file fifo_file } { create_file_perms relabelfrom };
-
 ###
 ### neverallow rules
 ###
 
+# Do not allow any confined domain to create new unlabeled files.
+neverallow { domain -unconfineddomain } unlabeled:dir_file_class_set create;
+
 # Limit ability to ptrace or read sensitive /proc/pid files of processes
 # with other UIDs to these whitelisted domains.
 neverallow { domain -debuggerd -vold -dumpstate -system_server } self:capability sys_ptrace;
-- 
GitLab