Remove domain_deprecated from sdcard domains

Remove from blkid, blkid_untrusted, fsck, fsck_untrusted, sdcardd and sgdisk. Tested by adding external sdcard with and without "adb shell sm set-force-adoptable true" command. Address the following denials: avc: denied { read } for name="swaps" dev="proc" ino=4026536590 scontext=u:r:fsck:s0 tcontext=u:object_r:proc:s0 tclass=file avc: denied { open } for path="/proc/swaps" dev="proc" ino=4026536590 scontext=u:r:fsck:s0 tcontext=u:object_r:proc:s0 tclass=file avc: denied { getattr } for path="/proc/swaps" dev="proc" ino=4026536590 scontext=u:r:fsck:s0 tcontext=u:object_r:proc:s0 tclass=file avc: denied { read } for name="filesystems" dev="proc" ino=4026536591 scontext=u:r:blkid:s0 tcontext=u:object_r:proc:s0 tclass=file avc: denied { open } for path="/proc/filesystems" dev="proc" ino=4026536591 scontext=u:r:blkid:s0 tcontext=u:object_r:proc:s0 tclass=file avc: denied { getattr } for path="/proc/filesystems" dev="proc" ino=4026536591 scontext=u:r:blkid:s0 tcontext=u:object_r:proc:s0 tclass=file Change-Id: I097e2ba5205e43f8ee613dae063f773a35ce3d73

Remove domain_deprecated from sdcard domains
0c7bc58e · Jeff Vander Stoep · 792622c3 · 0c7bc58e · 0c7bc58e · 0c7bc58e
Commit 0c7bc58e authored 9 years ago by Jeff Vander Stoep
--- a/blkid.te
+++ b/blkid.te
 # blkid called from vold
-type blkid, domain, domain_deprecated;
+type blkid, domain;
 type blkid_exec, exec_type, file_type;

 # Allowed read-only access to encrypted devices to extract UUID/label
@@ -14,6 +14,9 @@ allow blkid vold:fifo_file { read write getattr };
 # For blkid launched through popen()
 allow blkid blkid_exec:file rx_file_perms;

+# access to /proc/filesystems
+allow blkid proc:file r_file_perms;
+
 # Only allow entry from vold
 neverallow { domain -vold } blkid:process transition;
 neverallow domain blkid:process dyntransition;

--- a/blkid_untrusted.te
+++ b/blkid_untrusted.te
 # blkid for untrusted block devices
-type blkid_untrusted, domain, domain_deprecated;
+type blkid_untrusted, domain;

 # Allowed read-only access to vold block devices to extract UUID/label
 allow blkid_untrusted block_device:dir search;

--- a/fsck.te
+++ b/fsck.te
 # Any fsck program run by init
-type fsck, domain, domain_deprecated;
+type fsck, domain;
 type fsck_exec, exec_type, file_type;

 init_daemon_domain(fsck)
@@ -24,6 +24,8 @@ allow fsck dm_device:blk_file rw_file_perms;
 # fsck performs a stat() on swap to verify that it is a valid
 # swap device before setting the EXT2_MF_SWAP mount flag.
 allow fsck swap_block_device:blk_file getattr;
+# access to /proc/swaps
+allow fsck proc:file r_file_perms;

 ###
 ### neverallow rules

--- a/fsck_untrusted.te
+++ b/fsck_untrusted.te
 # Any fsck program run on untrusted block devices
-type fsck_untrusted, domain, domain_deprecated;
+type fsck_untrusted, domain;

 # Inherit and use pty created by android_fork_execvp_ext().
 allow fsck_untrusted devpts:chr_file { read write ioctl getattr };

--- a/sdcardd.te
+++ b/sdcardd.te
-type sdcardd, domain, domain_deprecated;
+type sdcardd, domain;
 type sdcardd_exec, exec_type, file_type;

 allow sdcardd cgroup:dir create_dir_perms;

--- a/sgdisk.te
+++ b/sgdisk.te
 # sgdisk called from vold
-type sgdisk, domain, domain_deprecated;
+type sgdisk, domain;
 type sgdisk_exec, exec_type, file_type;

 # Allowed to read/write low-level partition tables