From 142f97b758c232ef0300578371152739d81408a3 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Sat, 7 Nov 2015 09:20:16 -0800
Subject: [PATCH] system_server: clean up stale rules

979adffd45914bd7b357c404437c64bb59bec51a added an auditallow
to see if system_server was relabeling system_data_file.
The auditallow rule hasn't triggered, so remove the allow rule.

a3c97a7660bae649674e717bf7a9593f0d8370d7 added an auditallow
to see if system_server was executing toolbox. The auditallow
rule hasn't triggered, so remove the allow rule. AFAIK,
system_server never executes ANY file, so further tightening here
is feasible.

Change-Id: Ia0a93f3833e32c3e2c898463bd8813701a6dd20a
---
 system_server.te | 9 ---------
 1 file changed, 9 deletions(-)

diff --git a/system_server.te b/system_server.te
index 93849e410..8ab675505 100644
--- a/system_server.te
+++ b/system_server.te
@@ -277,11 +277,6 @@ allow system_server system_data_file:file relabelfrom;
 allow system_server wallpaper_file:file relabelto;
 allow system_server wallpaper_file:file { rw_file_perms unlink };
 
-# This was originally required for relabeling /data/anr,
-# but should not be used anymore. TODO: remove it.
-allow system_server system_data_file:dir relabelfrom;
-auditallow system_server system_data_file:dir relabelfrom;
-
 # Property Service write
 set_prop(system_server, system_prop)
 set_prop(system_server, dhcp_prop)
@@ -317,10 +312,6 @@ allow system_server cache_file:fifo_file create_file_perms;
 # Run system programs, e.g. dexopt.
 allow system_server system_file:file x_file_perms;
 
-# XXX Run toolbox.  Might not be needed.
-allow system_server toolbox_exec:file rx_file_perms;
-auditallow system_server toolbox_exec:file rx_file_perms;
-
 # LocationManager(e.g, GPS) needs to read and write
 # to uart driver and ctrl proc entry
 allow system_server gps_device:chr_file rw_file_perms;
-- 
GitLab