From 28afdd9234236d0b3c510f28255aa14625d11457 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Wed, 26 Feb 2014 16:46:33 -0500
Subject: [PATCH] Deduplicate binder_call rules.

A number of binder_call rules are duplicated by other rules
written in terms of attributes/sets (e.g. appdomain, binderservicedomain).
Get rid of the duplicates.

Also use binder_use() in racoon.te rather than manually writing the
base rule for communicating with the servicemanager.

Change-Id: I5a459cc2154b1466bcde6eccef253dfcdcb44e0a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 app.te           | 8 --------
 racoon.te        | 2 +-
 system_app.te    | 3 ---
 system_server.te | 1 -
 4 files changed, 1 insertion(+), 13 deletions(-)

diff --git a/app.te b/app.te
index 3e58736b9..a6f584d22 100644
--- a/app.te
+++ b/app.te
@@ -36,14 +36,12 @@ allow appdomain devpts:chr_file { getattr read write ioctl };
 # Communicate with system_server.
 allow appdomain system_server:fifo_file rw_file_perms;
 allow appdomain system_server:unix_stream_socket { read write setopt };
-binder_call(appdomain, system_server)
 
 # Communication with other apps via fifos
 allow appdomain appdomain:fifo_file rw_file_perms;
 
 # Communicate with surfaceflinger.
 allow appdomain surfaceflinger:unix_stream_socket { read write setopt };
-binder_call(appdomain, surfaceflinger)
 
 # App sandbox file accesses.
 allow appdomain app_data_file:dir create_dir_perms;
@@ -110,12 +108,6 @@ allow appdomain system_data_file:lnk_file getattr;
 allow appdomain download_file:dir search;
 allow appdomain download_file:file r_file_perms;
 
-# Allow applications to communicate with drmserver over binder
-binder_call(appdomain, drmserver)
-
-# Allow applications to communicate with mediaserver over binder
-binder_call(appdomain, mediaserver)
-
 # Allow apps to use the USB Accessory interface.
 # http://developer.android.com/guide/topics/connectivity/usb/accessory.html
 #
diff --git a/racoon.te b/racoon.te
index 1fbdb07fa..02b4ba342 100644
--- a/racoon.te
+++ b/racoon.te
@@ -8,7 +8,7 @@ typeattribute racoon mlstrustedsubject;
 
 net_domain(racoon)
 
-binder_call(racoon, servicemanager)
+binder_use(racoon)
 binder_call(racoon, keystore)
 
 allow racoon tun_device:chr_file r_file_perms;
diff --git a/system_app.te b/system_app.te
index a20a4ece1..dc0211883 100644
--- a/system_app.te
+++ b/system_app.te
@@ -9,9 +9,6 @@ app_domain(system_app)
 net_domain(system_app)
 binder_service(system_app)
 
-# Perform binder IPC to any app domain.
-binder_call(system_app, appdomain)
-
 # Read and write system data files.
 # May want to split into separate types.
 allow system_app system_data_file:dir create_dir_perms;
diff --git a/system_server.te b/system_server.te
index d7fd53039..cf4b15843 100644
--- a/system_server.te
+++ b/system_server.te
@@ -100,7 +100,6 @@ allow system_server surfaceflinger:unix_stream_socket { read write setopt };
 binder_use(system_server)
 binder_call(system_server, binderservicedomain)
 binder_call(system_server, appdomain)
-binder_call(system_server, healthd)
 binder_call(system_server, dumpstate)
 binder_service(system_server)
 
-- 
GitLab