From fe4061da837567a87b218d487058f1f5b86a7589 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Fri, 16 Nov 2018 11:23:54 -0800
Subject: [PATCH] remove system_server debugfs:file r_file_perms

Auditallow added in commit 72edbb3e83 ("Audit generic debugfs access for
removal", May 01 2018) has not triggered. Remove allow rule and tighten
up neverallow rule.

Test: policy compiles
Test: no collected SELinux denials.
Change-Id: I9a90463575f9eab4711b72d6f444fa9d526b80e1
---
 private/system_server.te | 2 --
 public/domain.te         | 4 ++--
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/private/system_server.te b/private/system_server.te
index c2033dbbd..d8a67c374 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -142,8 +142,6 @@ allow system_server stats_data_file:dir { open read remove_name search write };
 allow system_server stats_data_file:file unlink;
 
 # Read /sys/kernel/debug/wakeup_sources.
-allow system_server debugfs:file r_file_perms;
-auditallow system_server debugfs:file r_file_perms;
 allow system_server debugfs_wakeup_sources:file r_file_perms;
 
 # Delete /data/misc/stats-data/ and /data/misc/stats-service/ directories.
diff --git a/public/domain.te b/public/domain.te
index 13f52dc23..20ae4a9f1 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1387,8 +1387,8 @@ neverallow * domain:file { execute execute_no_trans entrypoint };
 # Do not allow access to the generic debugfs label. This is too broad.
 # Instead, if access to part of debugfs is desired, it should have a
 # more specific label.
-# TODO: fix system_server and dumpstate
-neverallow { domain -init -vendor_init -system_server -dumpstate } debugfs:file no_rw_file_perms;
+# TODO: fix dumpstate
+neverallow { domain -init -vendor_init -dumpstate } debugfs:file no_rw_file_perms;
 
 # Profiles contain untrusted data and profman parses that. We should only run
 # in from installd forked processes.
-- 
GitLab