From 0c994c3942a4709112d1be6c11802be797c91471 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Fri, 9 Sep 2016 07:27:27 -0700
Subject: [PATCH] Revert "domain_deprecate: remove observed audit messages"

This reverts commit 8486f4e601bee17126f15d3be0b15fc4ca06b25c.

Bug: 31364540
Change-Id: I7dee039540864a3244ee6d9fbb200ef177c42465
---
 domain_deprecated.te | 12 ++++++------
 mediaextractor.te    |  1 -
 uncrypt.te           |  2 --
 3 files changed, 6 insertions(+), 9 deletions(-)

diff --git a/domain_deprecated.te b/domain_deprecated.te
index fb115af67..2501345e8 100644
--- a/domain_deprecated.te
+++ b/domain_deprecated.te
@@ -1,10 +1,10 @@
 # rules removed from the domain attribute
 
 # Read access to properties mapping.
-allow domain_deprecated kernel:fd use;
+allow { domain_deprecated -init } kernel:fd use;
 allow domain_deprecated tmpfs:file { read getattr };
 allow domain_deprecated tmpfs:lnk_file { read getattr };
-auditallow { domain_deprecated -init } kernel:fd use;
+auditallow domain_deprecated kernel:fd use;
 auditallow { domain_deprecated -dex2oat } tmpfs:file { read getattr };
 auditallow domain_deprecated tmpfs:lnk_file { read getattr };
 
@@ -29,9 +29,9 @@ auditallow { domain_deprecated -appdomain -system_server } adbd:unix_stream_sock
 allow domain_deprecated rootfs:dir r_dir_perms;
 allow domain_deprecated rootfs:file r_file_perms;
 allow domain_deprecated rootfs:lnk_file r_file_perms;
-auditallow { domain_deprecated -healthd -init -installd -kernel -priv_app -servicemanager -system_server -ueventd -uncrypt -vold -zygote } rootfs:dir { open getattr read ioctl lock }; # search granted in domain
-auditallow { domain_deprecated -healthd -init -installd -kernel -priv_app -servicemanager -system_server -ueventd -uncrypt -vold -zygote } rootfs:file r_file_perms;
-auditallow { domain_deprecated -appdomain -healthd -init -installd -kernel -priv_app -servicemanager -system_server -ueventd -uncrypt -vold -zygote } rootfs:lnk_file { getattr open ioctl lock }; # read granted in domain
+auditallow { domain_deprecated -healthd -init -installd -kernel -priv_app -servicemanager -system_server -ueventd -vold -zygote } rootfs:dir { open getattr read ioctl lock }; # search granted in domain
+auditallow { domain_deprecated -healthd -init -installd -kernel -priv_app -servicemanager -system_server -ueventd -vold -zygote } rootfs:file r_file_perms;
+auditallow { domain_deprecated -appdomain -healthd -init -installd -kernel -priv_app -servicemanager -system_server -ueventd -vold -zygote } rootfs:lnk_file { getattr open ioctl lock }; # read granted in domain
 
 # Device accesses.
 allow domain_deprecated device:file read;
@@ -98,7 +98,7 @@ auditallow domain_deprecated inotify:dir r_dir_perms;
 auditallow domain_deprecated inotify:{ file lnk_file } r_file_perms;
 auditallow { domain_deprecated -appdomain -drmserver -fingerprintd -gatekeeperd -healthd -init -inputflinger -installd -keystore -logd -mediaextractor -mediaserver -netd -rild -surfaceflinger -system_server -zygote } cgroup:dir r_dir_perms;
 auditallow { domain_deprecated -appdomain -drmserver -fingerprintd -gatekeeperd -healthd -init -inputflinger -installd -keystore -logd -mediaextractor -mediaserver -netd -rild -surfaceflinger -system_server -zygote } cgroup:{ file lnk_file } r_file_perms;
-auditallow { domain_deprecated -appdomain -init -logd -mediaextractor -priv_app -surfaceflinger -system_server -vold } proc_meminfo:file r_file_perms;
+auditallow { domain_deprecated -appdomain -init -logd -priv_app -surfaceflinger -system_server -vold } proc_meminfo:file r_file_perms;
 auditallow { domain_deprecated -appdomain -clatd -init -logd -netd -system_server -vold -wpa -zygote } proc_net:dir { open getattr read ioctl lock }; # search granted in domain
 auditallow { domain_deprecated -appdomain -clatd -init -logd -netd -system_server -vold -wpa -zygote } proc_net:{ file lnk_file } r_file_perms;
 
diff --git a/mediaextractor.te b/mediaextractor.te
index 7b873d621..38ca2750e 100644
--- a/mediaextractor.te
+++ b/mediaextractor.te
@@ -16,7 +16,6 @@ allow mediaextractor mediaextractor_service:service_manager add;
 allow mediaextractor system_server:fd use;
 
 r_dir_file(mediaextractor, cgroup)
-allow mediaextractor proc_meminfo:file r_file_perms;
 
 ###
 ### neverallow rules
diff --git a/uncrypt.te b/uncrypt.te
index 308e0f629..d2bad539c 100644
--- a/uncrypt.te
+++ b/uncrypt.te
@@ -36,5 +36,3 @@ allow uncrypt block_device:dir r_dir_perms;
 
 # Access userdata block device.
 allow uncrypt userdata_block_device:blk_file w_file_perms;
-
-r_dir_file(uncrypt, rootfs)
-- 
GitLab