From f2de07529b9db84b85064580b0c7aae2a751b0b9 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Sun, 20 Nov 2016 08:32:00 -0800
Subject: [PATCH] domain_deprecated.te: delete stale permissions

auditallows have been in place for quite a while now, and nothing has
triggered. Let's do some cleanup!

Bug: 28760354
Test: device boots and no new denials
Test: SELinux denials collection has seen no instances of these
      permissions
Change-Id: I9293f8d8756c9db6307e344c32cd11b9e0183e7f
---
 public/domain_deprecated.te | 53 -------------------------------------
 1 file changed, 53 deletions(-)

diff --git a/public/domain_deprecated.te b/public/domain_deprecated.te
index 226cc0f58..19a03b76f 100644
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te
@@ -1,13 +1,5 @@
 # rules removed from the domain attribute
 
-# Read access to properties mapping.
-allow domain_deprecated kernel:fd use;
-allow domain_deprecated tmpfs:file { read getattr };
-allow domain_deprecated tmpfs:lnk_file { read getattr };
-auditallow { domain_deprecated -init } kernel:fd use;
-auditallow { domain_deprecated -dex2oat } tmpfs:file { read getattr };
-auditallow domain_deprecated tmpfs:lnk_file { read getattr };
-
 # Search /storage/emulated tmpfs mount.
 allow domain_deprecated tmpfs:dir r_dir_perms;
 auditallow { domain_deprecated -appdomain -init -sdcardd -surfaceflinger -system_server -vold -zygote } tmpfs:dir r_dir_perms;
@@ -18,12 +10,8 @@ auditallow { domain_deprecated -appdomain -netd -surfaceflinger } system_server:
 
 # Connect to adbd and use a socket transferred from it.
 # This is used for e.g. adb backup/restore.
-allow domain_deprecated adbd:unix_stream_socket connectto;
 allow domain_deprecated adbd:fd use;
-allow domain_deprecated adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
-auditallow { domain_deprecated -appdomain -system_server } adbd:unix_stream_socket connectto;
 auditallow { domain_deprecated -appdomain -system_server } adbd:fd use;
-auditallow { domain_deprecated -appdomain -system_server } adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
 
 # Root fs.
 allow domain_deprecated rootfs:dir r_dir_perms;
@@ -33,14 +21,9 @@ auditallow { domain_deprecated -healthd -init -installd -priv_app -servicemanage
 auditallow { domain_deprecated -healthd -init -installd  -priv_app -servicemanager -system_server -ueventd -uncrypt -vold -zygote } rootfs:file r_file_perms;
 auditallow { domain_deprecated -appdomain -healthd -init -installd -priv_app -servicemanager -system_server -ueventd -uncrypt -vold -zygote } rootfs:lnk_file { getattr open ioctl lock }; # read granted in domain
 
-# Device accesses.
-allow domain_deprecated device:file read;
-auditallow domain_deprecated device:file read;
-
 # System file accesses.
 allow domain_deprecated system_file:dir r_dir_perms;
 allow domain_deprecated system_file:file r_file_perms;
-allow domain_deprecated system_file:lnk_file r_file_perms;
 auditallow {
   domain_deprecated
   -appdomain
@@ -60,16 +43,6 @@ auditallow {
   -system_server
   -zygote
 } system_file:file { ioctl lock }; # read open getattr in domain
-auditallow {
-  domain_deprecated
-  -appdomain
-  -init
-  -installd
-  -rild
-  -surfaceflinger
-  -system_server
-  -zygote
-} system_file:lnk_file { getattr open ioctl lock }; # read in domain
 
 # Read files already opened under /data.
 allow domain_deprecated system_data_file:file { getattr read };
@@ -85,32 +58,6 @@ auditallow { domain_deprecated -appdomain -dex2oat -init -installd -system_serve
 auditallow { domain_deprecated -appdomain -dex2oat -installd -system_server } apk_data_file:file r_file_perms;
 auditallow { domain_deprecated -appdomain -dex2oat -installd -system_server } apk_data_file:lnk_file r_file_perms;
 
-# Read /data/dalvik-cache.
-allow domain_deprecated dalvikcache_data_file:dir { search getattr };
-allow domain_deprecated dalvikcache_data_file:file r_file_perms;
-auditallow {
-  domain_deprecated
-  -appdomain
-  -debuggerd
-  -dex2oat
-  -dumpstate
-  -init
-  -installd
-  -system_server
-  -zygote
-} dalvikcache_data_file:dir { search getattr };
-auditallow {
-  domain_deprecated
-  -appdomain
-  -debuggerd
-  -dex2oat
-  -dumpstate
-  -init
-  -installd
-  -system_server
-  -zygote
-} dalvikcache_data_file:file r_file_perms;
-
 # Read already opened /cache files.
 allow domain_deprecated cache_file:dir r_dir_perms;
 allow domain_deprecated cache_file:file { getattr read };
-- 
GitLab