Skip to content
Snippets Groups Projects
Commit eab26faa authored by dcashman's avatar dcashman
Browse files

Remove service_manager_local_audit_domain.

service_manager_local_audit_domain was used to fine tune the service_manager
auditallow rules when introducing the service_manager SELinux rules.  This is no
longer needed.

Bug: 21656807
Change-Id: Ia042a887e7bf9eb2a2b08b8d831e68dfe6395f75
parent 0d22c6ce
No related branches found
No related tags found
No related merge requests found
...@@ -73,6 +73,3 @@ attribute bluetoothdomain; ...@@ -73,6 +73,3 @@ attribute bluetoothdomain;
# All domains used for binder service domains. # All domains used for binder service domains.
attribute binderservicedomain; attribute binderservicedomain;
# All domains that are excluded from the domain.te auditallow.
attribute service_manager_local_audit;
...@@ -109,6 +109,5 @@ allow dumpstate tombstone_data_file:file r_file_perms; ...@@ -109,6 +109,5 @@ allow dumpstate tombstone_data_file:file r_file_perms;
allow dumpstate { service_manager_type -gatekeeper_service }:service_manager find; allow dumpstate { service_manager_type -gatekeeper_service }:service_manager find;
allow dumpstate servicemanager:service_manager list; allow dumpstate servicemanager:service_manager list;
service_manager_local_audit_domain(dumpstate)
allow dumpstate devpts:chr_file rw_file_perms; allow dumpstate devpts:chr_file rw_file_perms;
...@@ -18,8 +18,6 @@ allow isolated_app app_data_file:file { read write getattr lock }; ...@@ -18,8 +18,6 @@ allow isolated_app app_data_file:file { read write getattr lock };
allow isolated_app activity_service:service_manager find; allow isolated_app activity_service:service_manager find;
allow isolated_app display_service:service_manager find; allow isolated_app display_service:service_manager find;
service_manager_local_audit_domain(isolated_app)
##### #####
##### Neverallow ##### Neverallow
##### #####
......
...@@ -63,7 +63,6 @@ allow shell kernel:system syslog_read; ...@@ -63,7 +63,6 @@ allow shell kernel:system syslog_read;
allow shell servicemanager:service_manager list; allow shell servicemanager:service_manager list;
# don't allow shell to access GateKeeper service # don't allow shell to access GateKeeper service
allow shell { service_manager_type -gatekeeper_service }:service_manager find; allow shell { service_manager_type -gatekeeper_service }:service_manager find;
service_manager_local_audit_domain(shell)
# allow shell to look through /proc/ for ps, top # allow shell to look through /proc/ for ps, top
allow shell domain:dir { search open read getattr }; allow shell domain:dir { search open read getattr };
......
...@@ -50,5 +50,4 @@ userdebug_or_eng(` ...@@ -50,5 +50,4 @@ userdebug_or_eng(`
dontaudit su domain:debuggerd *; dontaudit su domain:debuggerd *;
dontaudit su domain:drmservice *; dontaudit su domain:drmservice *;
dontaudit su unlabeled:filesystem *; dontaudit su unlabeled:filesystem *;
service_manager_local_audit_domain(su)
') ')
...@@ -364,14 +364,6 @@ define(`use_keystore', ` ...@@ -364,14 +364,6 @@ define(`use_keystore', `
binder_call($1, keystore) binder_call($1, keystore)
') ')
###########################################
# service_manager_local_audit_domain(domain)
# Has its own auditallow rule on service_manager
# and should be excluded from the domain.te auditallow.
define(`service_manager_local_audit_domain', `
typeattribute $1 service_manager_local_audit;
')
########################################### ###########################################
# use_drmservice(domain) # use_drmservice(domain)
# Ability to use DrmService which requires # Ability to use DrmService which requires
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment