From f45db06c2bc829abb8b6af13d3b1504deb427285 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Mon, 4 Jun 2018 11:00:36 -0700
Subject: [PATCH] Deprivilege haiku

Clatd and zygote
are all overprivileged
as is storaged

Test: Verify no "granted" messages from dogfooders. Build flash
aosp_taimen-userdebug. Verify no denials.
Change-Id: I735adcffed553962ad12072716a7200883930dcf
---
 private/storaged.te | 4 ----
 private/zygote.te   | 6 ------
 public/logd.te      | 4 ----
 3 files changed, 14 deletions(-)

diff --git a/private/storaged.te b/private/storaged.te
index ff5390a1d..0916adf95 100644
--- a/private/storaged.te
+++ b/private/storaged.te
@@ -5,10 +5,6 @@ type storaged_exec, exec_type, file_type;
 init_daemon_domain(storaged)
 
 # Read access to pseudo filesystems
-r_dir_file(storaged, proc_net_type)
-userdebug_or_eng(`
-  auditallow storaged proc_net_type:{ dir file lnk_file } { getattr open read };
-')
 r_dir_file(storaged, domain)
 
 # Read /proc/uid_io/stats
diff --git a/private/zygote.te b/private/zygote.te
index 281097643..ac1ef0087 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -92,12 +92,6 @@ allow zygote storage_file:dir { search mounton };
 # Handle --invoke-with command when launching Zygote with a wrapper command.
 allow zygote zygote_exec:file rx_file_perms;
 
-# Read access to pseudo filesystems.
-r_dir_file(zygote, proc_net_type)
-userdebug_or_eng(`
-  auditallow zygote proc_net_type:{ dir file lnk_file } { getattr open read };
-')
-
 # Root fs.
 r_dir_file(zygote, rootfs)
 
diff --git a/public/logd.te b/public/logd.te
index 23318b0f9..2ef257f38 100644
--- a/public/logd.te
+++ b/public/logd.te
@@ -6,10 +6,6 @@ type logd_exec, exec_type, file_type;
 r_dir_file(logd, cgroup)
 r_dir_file(logd, proc_kmsg)
 r_dir_file(logd, proc_meminfo)
-r_dir_file(logd, proc_net_type)
-userdebug_or_eng(`
-  auditallow logd proc_net_type:{ dir file lnk_file } { getattr open read };
-')
 
 allow logd self:global_capability_class_set { setuid setgid setpcap sys_nice audit_control };
 allow logd self:global_capability2_class_set syslog;
-- 
GitLab