Deduplicate binder_call rules.

A number of binder_call rules are duplicated by other rules written in terms of attributes/sets (e.g. appdomain, binderservicedomain). Get rid of the duplicates. Also use binder_use() in racoon.te rather than manually writing the base rule for communicating with the servicemanager. Change-Id: I5a459cc2154b1466bcde6eccef253dfcdcb44e0a Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Deduplicate binder_call rules.
28afdd92 · Stephen Smalley · Nick Kralevich · 63b98b17 · 28afdd92 · 28afdd92
Commit 28afdd92 authored 11 years ago by Stephen Smalley Committed by Nick Kralevich 11 years ago
--- a/app.te
+++ b/app.te
@@ -36,14 +36,12 @@ allow appdomain devpts:chr_file { getattr read write ioctl };
 # Communicate with system_server.
 allow appdomain system_server:fifo_file rw_file_perms;
 allow appdomain system_server:unix_stream_socket { read write setopt };
-binder_call(appdomain, system_server)
 # Communication with other apps via fifos
 allow appdomain appdomain:fifo_file rw_file_perms;
 # Communicate with surfaceflinger.
 allow appdomain surfaceflinger:unix_stream_socket { read write setopt };
-binder_call(appdomain, surfaceflinger)
 # App sandbox file accesses.
 allow appdomain app_data_file:dir create_dir_perms;
@@ -110,12 +108,6 @@ allow appdomain system_data_file:lnk_file getattr;
 allow appdomain download_file:dir search;
 allow appdomain download_file:file r_file_perms;
-# Allow applications to communicate with drmserver over binder
-binder_call(appdomain, drmserver)
-# Allow applications to communicate with mediaserver over binder
-binder_call(appdomain, mediaserver)
 # Allow apps to use the USB Accessory interface.
 # http://developer.android.com/guide/topics/connectivity/usb/accessory.html
 #

--- a/racoon.te
+++ b/racoon.te
@@ -8,7 +8,7 @@ typeattribute racoon mlstrustedsubject;
 net_domain(racoon)
-binder_call(racoon, servicemanager)
+binder_use(racoon)
 binder_call(racoon, keystore)
 allow racoon tun_device:chr_file r_file_perms;

--- a/system_app.te
+++ b/system_app.te
@@ -9,9 +9,6 @@ app_domain(system_app)
 net_domain(system_app)
 binder_service(system_app)
-# Perform binder IPC to any app domain.
-binder_call(system_app, appdomain)
 # Read and write system data files.
 # May want to split into separate types.
 allow system_app system_data_file:dir create_dir_perms;

--- a/system_server.te
+++ b/system_server.te
@@ -100,7 +100,6 @@ allow system_server surfaceflinger:unix_stream_socket { read write setopt };
 binder_use(system_server)
 binder_call(system_server, binderservicedomain)
 binder_call(system_server, appdomain)
-binder_call(system_server, healthd)
 binder_call(system_server, dumpstate)
 binder_service(system_server)