Remove SElinux audit to libart_file

Since it was introduced it caused quite a few issues and it spams the SElinux logs unnecessary. The end goal of the audit was to whitelist the access to the interpreter. However that's unfeasible for now given the complexity. Test: devices boots and everything works as expected no more auditallow logs Bug: 29795519 Bug: 32871170 Change-Id: I9a7a65835e1e1d3f81be635bed2a3acf75a264f6

Remove SElinux audit to libart_file
01ee59a7 · Calin Juravle · 9e90f83e · 01ee59a7 · 01ee59a7 · 01ee59a7
Commit 01ee59a7 authored 8 years ago by Calin Juravle
--- a/private/app.te
+++ b/private/app.te
@@ -14,9 +14,6 @@ allow appdomain zygote_tmpfs:file read;
 # WebView and other application-specific JIT compilers
 allow appdomain self:process execmem;

-# allow access to the interpreter
-allow appdomain libart_file:file { execute read open getattr };
-
 allow appdomain ashmem_device:chr_file execute;

 # Receive and use open file descriptors inherited from zygote.

--- a/private/file_contexts
+++ b/private/file_contexts
@@ -239,8 +239,6 @@
 /system/bin/storaged             u:object_r:storaged_exec:s0
 /system/bin/webview_zygote32     u:object_r:webview_zygote_exec:s0
 /system/bin/webview_zygote64     u:object_r:webview_zygote_exec:s0
-/system/fake-lib(64)?/libart.*   u:object_r:libart_file:s0
-/system/lib(64)?/libart.*        u:object_r:libart_file:s0
 /system/bin/hw/android\.hardware\.audio@2\.0-service          u:object_r:hal_audio_default_exec:s0
 /system/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
 /system/bin/hw/android\.hardware\.bluetooth@1\.0-service      u:object_r:hal_bluetooth_default_exec:s0

--- a/private/zygote.te
+++ b/private/zygote.te
@@ -40,8 +40,6 @@ allow zygote dalvikcache_data_file:lnk_file create_file_perms;
 allow zygote resourcecache_data_file:dir rw_dir_perms;
 allow zygote resourcecache_data_file:file create_file_perms;

-# For art.
-allow zygote libart_file:file { execute read open getattr };
 # When WITH_DEXPREOPT is true, the zygote does not load executable content from
 # /data/dalvik-cache.
 allow { zygote with_dexpreopt(`-zygote') } dalvikcache_data_file:file execute;

--- a/public/crash_dump.te
+++ b/public/crash_dump.te
@@ -24,9 +24,6 @@ allow crash_dump exec_type:file r_file_perms;
 allow crash_dump dalvikcache_data_file:dir { search getattr };
 allow crash_dump dalvikcache_data_file:file r_file_perms;

-# Unwind through libart.
-allow crash_dump libart_file:file r_file_perms;
-
 # Talk to tombstoned
 unix_socket_connect(crash_dump, tombstoned_crash, tombstoned)


--- a/public/dex2oat.te
+++ b/public/dex2oat.te
@@ -6,9 +6,6 @@ r_dir_file(dex2oat, {apk_data_file ephemeral_apk_data_file})

 allow dex2oat tmpfs:file { read getattr };

-# allow access to the interpreter
-allow dex2oat libart_file:file { execute read open getattr };
-
 r_dir_file(dex2oat, dalvikcache_data_file)
 allow dex2oat dalvikcache_data_file:file write;
 # Read symlinks in /data/dalvik-cache. This is required for PIC mode boot images, where

--- a/public/domain.te
+++ b/public/domain.te
@@ -94,21 +94,6 @@ allow domain system_file:dir { search getattr };
 allow domain system_file:file { execute read open getattr };
 allow domain system_file:lnk_file read;

-# Initially grant all domains access to libart.
-# TODO move to a whitelist. b/29795519
-allow domain libart_file:file { execute read open getattr };
-auditallow {
-  domain
-  -appdomain
-  -crash_dump
-  -dex2oat
-  -dumpstate
-  -profman
-  -recovery
-  -webview_zygote
-  -zygote
-} libart_file:file { execute read open getattr };
-
 # read any sysfs symlinks
 allow domain sysfs:lnk_file read;

@@ -308,7 +293,7 @@ neverallow {
    -system_server
    -webview_zygote
    -zygote
-} { file_type -libart_file -system_file -exec_type -postinstall_file }:file execute;
+} { file_type -system_file -exec_type -postinstall_file }:file execute;
 neverallow {
    domain
    -appdomain # for oemfs

--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -114,7 +114,6 @@ allow dumpstate zygote_exec:file rx_file_perms;
 allow dumpstate ashmem_device:chr_file execute;
 allow dumpstate self:process execmem;
 # For art.
-allow dumpstate libart_file:file { r_file_perms execute };
 allow dumpstate dalvikcache_data_file:dir { search getattr };
 allow dumpstate dalvikcache_data_file:file { r_file_perms execute };
 allow dumpstate dalvikcache_data_file:lnk_file r_file_perms;

--- a/public/file.te
+++ b/public/file.te
@@ -78,8 +78,6 @@ type unlabeled, file_type;
 type system_file, file_type;
 # Speedup access for trusted applications to the runtime event tags
 type runtime_event_log_tags_file, file_type;
-# Type for /system/*/libart*
-type libart_file, file_type;
 # Type for /system/bin/logcat.
 type logcat_exec, exec_type, file_type;
 # /cores for coredumps on userdebug / eng builds

--- a/public/profman.te
+++ b/public/profman.te
@@ -2,8 +2,6 @@
 type profman, domain;
 type profman_exec, exec_type, file_type;

-allow profman libart_file:file r_file_perms;
-
 allow profman user_profile_data_file:file { getattr read write lock };

 # Dumping profile info opens the application APK file for pretty printing.

--- a/public/recovery.te
+++ b/public/recovery.te
@@ -28,7 +28,7 @@ recovery_only(`

  # Create and relabel files and directories under /system.
  allow recovery exec_type:{ file lnk_file } { create_file_perms relabelfrom relabelto };
-  allow recovery { system_file libart_file }:{ file lnk_file } { create_file_perms relabelfrom relabelto };
+  allow recovery { system_file }:{ file lnk_file } { create_file_perms relabelfrom relabelto };
  allow recovery system_file:dir { create_dir_perms relabelfrom relabelto };

  # We may be asked to set an SELinux label for a type not known to the