remove system_server debugfs:file r_file_perms

Auditallow added in commit 72edbb3e ("Audit generic debugfs access for removal", May 01 2018) has not triggered. Remove allow rule and tighten up neverallow rule. Test: policy compiles Test: no collected SELinux denials. Change-Id: I9a90463575f9eab4711b72d6f444fa9d526b80e1

remove system_server debugfs:file r_file_perms
Auditallow added in commit 72edbb3e ("Audit generic debugfs access for removal", May 01 2018) has not triggered. Remove allow rule and tighten up neverallow rule. Test: policy compiles Test: no collected SELinux denials. Change-Id: I9a90463575f9eab4711b72d6f444fa9d526b80e1
fe4061da · Nick Kralevich · 6567cc26 · fe4061da · fe4061da
Commit fe4061da authored 6 years ago by Nick Kralevich
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -142,8 +142,6 @@ allow system_server stats_data_file:dir { open read remove_name search write };
 allow system_server stats_data_file:file unlink;
 # Read /sys/kernel/debug/wakeup_sources.
-allow system_server debugfs:file r_file_perms;
-auditallow system_server debugfs:file r_file_perms;
 allow system_server debugfs_wakeup_sources:file r_file_perms;
 # Delete /data/misc/stats-data/ and /data/misc/stats-service/ directories.

--- a/public/domain.te
+++ b/public/domain.te
@@ -1387,8 +1387,8 @@ neverallow * domain:file { execute execute_no_trans entrypoint };
 # Do not allow access to the generic debugfs label. This is too broad.
 # Instead, if access to part of debugfs is desired, it should have a
 # more specific label.
-# TODO: fix system_server and dumpstate
+# TODO: fix dumpstate
-neverallow { domain -init -vendor_init -system_server -dumpstate } debugfs:file no_rw_file_perms;
+neverallow { domain -init -vendor_init -dumpstate } debugfs:file no_rw_file_perms;
 # Profiles contain untrusted data and profman parses that. We should only run
 # in from installd forked processes.