Deprivilege haiku

Clatd and zygote are all overprivileged as is storaged Test: Verify no "granted" messages from dogfooders. Build flash aosp_taimen-userdebug. Verify no denials. Change-Id: I735adcffed553962ad12072716a7200883930dcf

Deprivilege haiku
Clatd and zygote are all overprivileged as is storaged Test: Verify no "granted" messages from dogfooders. Build flash aosp_taimen-userdebug. Verify no denials. Change-Id: I735adcffed553962ad12072716a7200883930dcf
f45db06c · Jeff Vander Stoep · 9c7396d5 · f45db06c · f45db06c · f45db06c
Commit f45db06c authored 6 years ago by Jeff Vander Stoep
--- a/private/storaged.te
+++ b/private/storaged.te
@@ -5,10 +5,6 @@ type storaged_exec, exec_type, file_type;
 init_daemon_domain(storaged)
 # Read access to pseudo filesystems
-r_dir_file(storaged, proc_net_type)
-userdebug_or_eng(`
-  auditallow storaged proc_net_type:{ dir file lnk_file } { getattr open read };
-')
 r_dir_file(storaged, domain)
 # Read /proc/uid_io/stats

--- a/private/zygote.te
+++ b/private/zygote.te
@@ -92,12 +92,6 @@ allow zygote storage_file:dir { search mounton };
 # Handle --invoke-with command when launching Zygote with a wrapper command.
 allow zygote zygote_exec:file rx_file_perms;
-# Read access to pseudo filesystems.
-r_dir_file(zygote, proc_net_type)
-userdebug_or_eng(`
-  auditallow zygote proc_net_type:{ dir file lnk_file } { getattr open read };
-')
 # Root fs.
 r_dir_file(zygote, rootfs)

--- a/public/logd.te
+++ b/public/logd.te
@@ -6,10 +6,6 @@ type logd_exec, exec_type, file_type;
 r_dir_file(logd, cgroup)
 r_dir_file(logd, proc_kmsg)
 r_dir_file(logd, proc_meminfo)
-r_dir_file(logd, proc_net_type)
-userdebug_or_eng(`
-  auditallow logd proc_net_type:{ dir file lnk_file } { getattr open read };
-')
 allow logd self:global_capability_class_set { setuid setgid setpcap sys_nice audit_control };
 allow logd self:global_capability2_class_set syslog;