From e8178b31e636dff4dcc6c5b1464f74f51cc65acf Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Tue, 26 May 2015 15:12:19 -0400
Subject: [PATCH] Remove unused userspace security classes.

These are all userspace security class definitions that are
unused in Android; they are only meaningful in Linux distributions.

Change-Id: I99738752da996d9a1c7793eea049d937ffe4255b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 access_vectors   | 333 -----------------------------------------------
 security_classes |  49 -------
 2 files changed, 382 deletions(-)

diff --git a/access_vectors b/access_vectors
index c280f0840..5b5b6ad69 100644
--- a/access_vectors
+++ b/access_vectors
@@ -79,47 +79,6 @@ common ipc
 	unix_write
 }
 
-#
-#  Define a common prefix for userspace database object access vectors.
-#
-
-common database
-{
-	create
-	drop
-	getattr
-	setattr
-	relabelfrom
-	relabelto
-}
-
-#
-# Define a common prefix for pointer and keyboard access vectors.
-#
-
-common x_device
-{
-	getattr
-	setattr
-	use
-	read
-	write
-	getfocus
-	setfocus
-	bell
-	force_cursor
-	freeze
-	grab
-	manage
-	list_property
-	get_property
-	set_property
-	add
-	remove
-	create
-	destroy
-}
-
 #
 # Define the access vectors.
 #
@@ -449,165 +408,6 @@ class capability2
 	block_suspend
 }
 
-#
-# Define the access vector interpretation for controlling
-# changes to passwd information.
-#
-class passwd
-{
-	passwd	# change another user passwd
-	chfn	# change another user finger info
-	chsh	# change another user shell
-	rootok  # pam_rootok check (skip auth)
-	crontab # crontab on another user
-}
-
-#
-# SE-X Windows stuff
-#
-class x_drawable
-{
-	create
-	destroy
-	read
-	write
-	blend
-	getattr
-	setattr
-	list_child
-	add_child
-	remove_child
-	list_property
-	get_property
-	set_property
-	manage
-	override
-	show
-	hide
-	send
-	receive
-}
-
-class x_screen
-{
-	getattr
-	setattr
-	hide_cursor
-	show_cursor
-	saver_getattr
-	saver_setattr
-	saver_hide
-	saver_show
-}
-
-class x_gc
-{
-	create
-	destroy
-	getattr
-	setattr
-	use
-}
-
-class x_font
-{
-	create
-	destroy
-	getattr
-	add_glyph
-	remove_glyph
-	use
-}
-
-class x_colormap
-{
-	create
-	destroy
-	read
-	write
-	getattr
-	add_color
-	remove_color
-	install
-	uninstall
-	use
-}
-
-class x_property
-{
-	create
-	destroy
-	read
-	write
-	append
-	getattr
-	setattr
-}
-
-class x_selection
-{
-	read
-	write
-	getattr
-	setattr
-}
-
-class x_cursor
-{
-	create
-	destroy
-	read
-	write
-	getattr
-	setattr
-	use
-}
-
-class x_client
-{
-	destroy
-	getattr
-	setattr
-	manage
-}
-
-class x_device
-inherits x_device
-
-class x_server
-{
-	getattr
-	setattr
-	record
-	debug
-	grab
-	manage
-}
-
-class x_extension
-{
-	query
-	use
-}
-
-class x_resource
-{
-	read
-	write
-}
-
-class x_event
-{
-	send
-	receive
-}
-
-class x_synthetic_event
-{
-	send
-	receive
-}
-
 #
 # Extended Netlink classes
 #
@@ -665,33 +465,6 @@ inherits socket
 class netlink_dnrt_socket
 inherits socket
 
-# Define the access vector interpretation for controlling
-# access and communication through the D-BUS messaging
-# system.
-#
-class dbus
-{
-	acquire_svc
-	send_msg
-}
-
-# Define the access vector interpretation for controlling
-# access through the name service cache daemon (nscd).
-#
-class nscd
-{
-	getpwd
-	getgrp
-	gethost
-	getstat
-	admin
-	shmempwd
-	shmemgrp
-	shmemhost
-	getserv
-	shmemserv
-}
-
 # Define the access vector interpretation for controlling
 # access to IPSec network data by association
 #
@@ -732,12 +505,6 @@ class key
 	create
 }
 
-class context
-{
-	translate
-	contains
-}
-
 class dccp_socket
 inherits socket
 {
@@ -750,77 +517,12 @@ class memprotect
 	mmap_zero
 }
 
-class db_database
-inherits database
-{
-	access
-	install_module
-	load_module
-	get_param	# deprecated
-	set_param	# deprecated
-}
-
-class db_table
-inherits database
-{
-	use		# deprecated
-	select
-	update
-	insert
-	delete
-	lock
-}
-
-class db_procedure
-inherits database
-{
-	execute
-	entrypoint
-	install
-}
-
-class db_column
-inherits database
-{
-	use		# deprecated
-	select
-	update
-	insert
-}
-
-class db_tuple
-{
-	relabelfrom
-	relabelto
-	use		# deprecated
-	select
-	update
-	insert
-	delete
-}
-
-class db_blob
-inherits database
-{
-	read
-	write
-	import
-	export
-}
-
 # network peer labels
 class peer
 {
 	recv
 }
 
-class x_application_data
-{
-	paste
-	paste_after_confirm
-	copy
-}
-
 class kernel_service
 {
 	use_as_override
@@ -833,41 +535,6 @@ inherits socket
 	attach_queue
 }
 
-class x_pointer
-inherits x_device
-
-class x_keyboard
-inherits x_device
-
-class db_schema
-inherits database
-{
-	search
-	add_name
-	remove_name
-}
-
-class db_view
-inherits database
-{
-	expand
-}
-
-class db_sequence
-inherits database
-{
-	get_value
-	next_value
-	set_value
-}
-
-class db_language
-inherits database
-{
-	implement
-	execute
-}
-
 class binder
 {
 	impersonate
diff --git a/security_classes b/security_classes
index c0c965971..7ea3a380c 100644
--- a/security_classes
+++ b/security_classes
@@ -43,27 +43,6 @@ class msgq
 class shm
 class ipc
 
-#
-# userspace object manager classes
-#
-
-# passwd/chfn/chsh
-class passwd			# userspace
-
-# SE-X Windows stuff (more classes below)
-class x_drawable		# userspace
-class x_screen			# userspace
-class x_gc			# userspace
-class x_font			# userspace
-class x_colormap		# userspace
-class x_property		# userspace
-class x_selection		# userspace
-class x_cursor			# userspace
-class x_client			# userspace
-class x_device			# userspace
-class x_server			# userspace
-class x_extension		# userspace
-
 # extended netlink sockets
 class netlink_route_socket
 class netlink_firewall_socket
@@ -75,9 +54,6 @@ class netlink_audit_socket
 class netlink_ip6fw_socket
 class netlink_dnrt_socket
 
-class dbus			# userspace
-class nscd			# userspace
-
 # IPSec association
 class association
 
@@ -91,46 +67,21 @@ class packet
 # Kernel access key retention
 class key
 
-class context			# userspace
-
 class dccp_socket
 
 class memprotect
 
-class db_database		# userspace
-class db_table			# userspace
-class db_procedure		# userspace
-class db_column			# userspace
-class db_tuple			# userspace
-class db_blob			# userspace
-
 # network peer labels
 class peer
 
 # Capabilities >= 32
 class capability2
 
-# More SE-X Windows stuff
-class x_resource		# userspace
-class x_event			# userspace
-class x_synthetic_event		# userspace
-class x_application_data	# userspace
-
 # kernel services that need to override task security, e.g. cachefiles
 class kernel_service
 
 class tun_socket
 
-# Still More SE-X Windows stuff
-class x_pointer			# userspace
-class x_keyboard		# userspace
-
-# More Database stuff
-class db_schema			# userspace
-class db_view			# userspace
-class db_sequence		# userspace
-class db_language		# userspace
-
 class binder
 
 # Property service
-- 
GitLab