From 01ee59a7b48fd35efef08ab71501d1db88e68872 Mon Sep 17 00:00:00 2001
From: Calin Juravle <calin@google.com>
Date: Thu, 26 Jan 2017 20:01:50 -0800
Subject: [PATCH] Remove SElinux audit to libart_file

Since it was introduced it caused quite a few issues and it spams the
SElinux logs unnecessary.

The end goal of the audit was to whitelist the access to the
interpreter. However that's unfeasible for now given the complexity.

Test: devices boots and everything works as expected
      no more auditallow logs

Bug: 29795519
Bug: 32871170
Change-Id: I9a7a65835e1e1d3f81be635bed2a3acf75a264f6
---
 private/app.te        |  3 ---
 private/file_contexts |  2 --
 private/zygote.te     |  2 --
 public/crash_dump.te  |  3 ---
 public/dex2oat.te     |  3 ---
 public/domain.te      | 19 ++-----------------
 public/dumpstate.te   |  1 -
 public/file.te        |  2 --
 public/profman.te     |  2 --
 public/recovery.te    |  2 +-
 10 files changed, 3 insertions(+), 36 deletions(-)

diff --git a/private/app.te b/private/app.te
index 84be2bf5e..d27ce64af 100644
--- a/private/app.te
+++ b/private/app.te
@@ -14,9 +14,6 @@ allow appdomain zygote_tmpfs:file read;
 # WebView and other application-specific JIT compilers
 allow appdomain self:process execmem;
 
-# allow access to the interpreter
-allow appdomain libart_file:file { execute read open getattr };
-
 allow appdomain ashmem_device:chr_file execute;
 
 # Receive and use open file descriptors inherited from zygote.
diff --git a/private/file_contexts b/private/file_contexts
index 33b201e1d..9236bfe83 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -239,8 +239,6 @@
 /system/bin/storaged             u:object_r:storaged_exec:s0
 /system/bin/webview_zygote32     u:object_r:webview_zygote_exec:s0
 /system/bin/webview_zygote64     u:object_r:webview_zygote_exec:s0
-/system/fake-lib(64)?/libart.*   u:object_r:libart_file:s0
-/system/lib(64)?/libart.*        u:object_r:libart_file:s0
 /system/bin/hw/android\.hardware\.audio@2\.0-service          u:object_r:hal_audio_default_exec:s0
 /system/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
 /system/bin/hw/android\.hardware\.bluetooth@1\.0-service      u:object_r:hal_bluetooth_default_exec:s0
diff --git a/private/zygote.te b/private/zygote.te
index f9213cedf..f0ac0b2ab 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -40,8 +40,6 @@ allow zygote dalvikcache_data_file:lnk_file create_file_perms;
 allow zygote resourcecache_data_file:dir rw_dir_perms;
 allow zygote resourcecache_data_file:file create_file_perms;
 
-# For art.
-allow zygote libart_file:file { execute read open getattr };
 # When WITH_DEXPREOPT is true, the zygote does not load executable content from
 # /data/dalvik-cache.
 allow { zygote with_dexpreopt(`-zygote') } dalvikcache_data_file:file execute;
diff --git a/public/crash_dump.te b/public/crash_dump.te
index af74247f7..e117176c4 100644
--- a/public/crash_dump.te
+++ b/public/crash_dump.te
@@ -24,9 +24,6 @@ allow crash_dump exec_type:file r_file_perms;
 allow crash_dump dalvikcache_data_file:dir { search getattr };
 allow crash_dump dalvikcache_data_file:file r_file_perms;
 
-# Unwind through libart.
-allow crash_dump libart_file:file r_file_perms;
-
 # Talk to tombstoned
 unix_socket_connect(crash_dump, tombstoned_crash, tombstoned)
 
diff --git a/public/dex2oat.te b/public/dex2oat.te
index be9877cf4..f4a7418c3 100644
--- a/public/dex2oat.te
+++ b/public/dex2oat.te
@@ -6,9 +6,6 @@ r_dir_file(dex2oat, {apk_data_file ephemeral_apk_data_file})
 
 allow dex2oat tmpfs:file { read getattr };
 
-# allow access to the interpreter
-allow dex2oat libart_file:file { execute read open getattr };
-
 r_dir_file(dex2oat, dalvikcache_data_file)
 allow dex2oat dalvikcache_data_file:file write;
 # Read symlinks in /data/dalvik-cache. This is required for PIC mode boot images, where
diff --git a/public/domain.te b/public/domain.te
index ca8683660..5df7a4351 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -94,21 +94,6 @@ allow domain system_file:dir { search getattr };
 allow domain system_file:file { execute read open getattr };
 allow domain system_file:lnk_file read;
 
-# Initially grant all domains access to libart.
-# TODO move to a whitelist. b/29795519
-allow domain libart_file:file { execute read open getattr };
-auditallow {
-  domain
-  -appdomain
-  -crash_dump
-  -dex2oat
-  -dumpstate
-  -profman
-  -recovery
-  -webview_zygote
-  -zygote
-} libart_file:file { execute read open getattr };
-
 # read any sysfs symlinks
 allow domain sysfs:lnk_file read;
 
@@ -308,7 +293,7 @@ neverallow {
     -system_server
     -webview_zygote
     -zygote
-} { file_type -libart_file -system_file -exec_type -postinstall_file }:file execute;
+} { file_type -system_file -exec_type -postinstall_file }:file execute;
 neverallow {
     domain
     -appdomain # for oemfs
@@ -640,7 +625,7 @@ neverallow * ~servicemanager:service_manager list;
 # TODO - rework this: neverallow * ~service_manager_type:service_manager { add find };
 
 # Prevent assigning non property types to properties
-# TODO - rework this: neverallow * ~property_type:property_service set; 
+# TODO - rework this: neverallow * ~property_type:property_service set;
 
 # Domain types should never be assigned to any files other
 # than the /proc/pid files associated with a process. The
diff --git a/public/dumpstate.te b/public/dumpstate.te
index a70614dab..bac648e2b 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -114,7 +114,6 @@ allow dumpstate zygote_exec:file rx_file_perms;
 allow dumpstate ashmem_device:chr_file execute;
 allow dumpstate self:process execmem;
 # For art.
-allow dumpstate libart_file:file { r_file_perms execute };
 allow dumpstate dalvikcache_data_file:dir { search getattr };
 allow dumpstate dalvikcache_data_file:file { r_file_perms execute };
 allow dumpstate dalvikcache_data_file:lnk_file r_file_perms;
diff --git a/public/file.te b/public/file.te
index 7bf44ccb4..c48e04ede 100644
--- a/public/file.te
+++ b/public/file.te
@@ -78,8 +78,6 @@ type unlabeled, file_type;
 type system_file, file_type;
 # Speedup access for trusted applications to the runtime event tags
 type runtime_event_log_tags_file, file_type;
-# Type for /system/*/libart*
-type libart_file, file_type;
 # Type for /system/bin/logcat.
 type logcat_exec, exec_type, file_type;
 # /cores for coredumps on userdebug / eng builds
diff --git a/public/profman.te b/public/profman.te
index 6afd417f9..ff8154060 100644
--- a/public/profman.te
+++ b/public/profman.te
@@ -2,8 +2,6 @@
 type profman, domain;
 type profman_exec, exec_type, file_type;
 
-allow profman libart_file:file r_file_perms;
-
 allow profman user_profile_data_file:file { getattr read write lock };
 
 # Dumping profile info opens the application APK file for pretty printing.
diff --git a/public/recovery.te b/public/recovery.te
index c607d034c..11c01ed50 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -28,7 +28,7 @@ recovery_only(`
 
   # Create and relabel files and directories under /system.
   allow recovery exec_type:{ file lnk_file } { create_file_perms relabelfrom relabelto };
-  allow recovery { system_file libart_file }:{ file lnk_file } { create_file_perms relabelfrom relabelto };
+  allow recovery { system_file }:{ file lnk_file } { create_file_perms relabelfrom relabelto };
   allow recovery system_file:dir { create_dir_perms relabelfrom relabelto };
 
   # We may be asked to set an SELinux label for a type not known to the
-- 
GitLab