From 275f6dd5a3d22857980575d00d668747e89dc2a1 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Thu, 27 Jul 2017 06:43:30 -0700
Subject: [PATCH] domain_deprecated: remove sysfs rules

Clean up the remaining granted permissions in domain_deprecated.

avc: granted { read open } for comm="uncrypt"
path="/sys/firmware/devicetree/base/firmware/android/fstab/compatible"
dev="sysfs" ino=17591 scontext=u:r:uncrypt:s0
tcontext=u:object_r:sysfs:s0 tclass=file
avc: granted { getattr } for comm="uncrypt"
path="/sys/firmware/devicetree/base/firmware/android/compatible"
dev="sysfs" ino=17583 scontext=u:r:uncrypt:s0
tcontext=u:object_r:sysfs:s0 tclass=file

vc: granted { read open } for comm="update_engine"
path="/sys/firmware/devicetree/base/firmware/android/fstab" dev="sysfs"
ino=17258 scontext=u:r:update_engine:s0 tcontext=u:object_r:sysfs:s0
tclass=dir
avc: granted { getattr } for comm="update_engine"
path="/sys/firmware/devicetree/base/firmware/android/fstab/compatible"
dev="sysfs" ino=17259 scontext=u:r:update_engine:s0
tcontext=u:object_r:sysfs:s0 tclass=file

Bug: 28760354
Test: build
Change-Id: Id318ce84894c1001361923f5205de093a15c1e6a
---
 private/domain_deprecated.te   | 46 ----------------------------------
 public/uncrypt.te              |  3 +++
 public/update_engine_common.te |  3 +++
 3 files changed, 6 insertions(+), 46 deletions(-)
 delete mode 100644 private/domain_deprecated.te

diff --git a/private/domain_deprecated.te b/private/domain_deprecated.te
deleted file mode 100644
index a440bfe54..000000000
--- a/private/domain_deprecated.te
+++ /dev/null
@@ -1,46 +0,0 @@
-# rules removed from the domain attribute
-
-# Read access to pseudo filesystems.
-r_dir_file(domain_deprecated, sysfs)
-
-userdebug_or_eng(`
-auditallow {
-  domain_deprecated
-  -fingerprintd
-  -healthd
-  -netd
-  -recovery
-  -system_app
-  -surfaceflinger
-  -system_server
-  -tee
-  -ueventd
-  -vold
-} sysfs:dir { open getattr read ioctl lock }; # search granted in domain
-auditallow {
-  domain_deprecated
-  -fingerprintd
-  -healthd
-  -netd
-  -recovery
-  -system_app
-  -surfaceflinger
-  -system_server
-  -tee
-  -ueventd
-  -vold
-} sysfs:file r_file_perms;
-auditallow {
-  domain_deprecated
-  -fingerprintd
-  -healthd
-  -netd
-  -recovery
-  -system_app
-  -surfaceflinger
-  -system_server
-  -tee
-  -ueventd
-  -vold
-} sysfs:lnk_file { getattr open ioctl lock }; # read granted in domain
-')
diff --git a/public/uncrypt.te b/public/uncrypt.te
index 59f7da363..67189ae15 100644
--- a/public/uncrypt.te
+++ b/public/uncrypt.te
@@ -40,3 +40,6 @@ r_dir_file(uncrypt, rootfs)
 
 # uncrypt reads /proc/cmdline
 allow uncrypt proc:file r_file_perms;
+
+# Read files in /sys
+r_dir_file(uncrypt, sysfs)
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index 2a0266ed6..7680e07da 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -44,3 +44,6 @@ allow update_engine proc_misc:file r_file_perms;
 
 # read directories on /system and /vendor
 allow update_engine system_file:dir r_dir_perms;
+
+# Read files in /sys
+r_dir_file(uncrypt, sysfs)
-- 
GitLab