From 2b75437dc82b43d8e9c3cbda8bd92452968d6071 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Tue, 11 Jul 2017 22:00:08 -0700
Subject: [PATCH] domain_deprecate: remove system_data_file access

scontext=installd
avc: granted { getattr } for comm="Binder:1153_7" path="/data/user/0"
dev="sda13" ino=1097730 scontext=u:r:installd:s0
tcontext=u:object_r:system_data_file:s0 tclass=lnk_file

scontext=runas
avc: granted { getattr } for comm="run-as" path="/data/user/0"
dev="sda35" ino=942082 scontext=u:r:runas:s0
tcontext=u:object_r:system_data_file:s0 tclass=lnk_file

scontext=vold
avc: granted { getattr } for comm="vold" path="/data/data" dev="sda45"
ino=12 scontext=u:r:vold:s0 tcontext=u:object_r:system_data_file:s0
tclass=lnk_file
avc: granted { read } for comm="secdiscard"
name="3982c444973581d4.spblob" dev="sda45" ino=4620302
scontext=u:r:vold:s0 tcontext=u:object_r:system_data_file:s0
tclass=file

Bug: 28760354
Test: Build
Change-Id: Id16c43090675572af35f1ad9defd4c368abc906b
---
 public/domain_deprecated.te | 19 -------------------
 public/installd.te          |  2 +-
 public/runas.te             |  1 +
 public/vold.te              |  4 ++++
 4 files changed, 6 insertions(+), 20 deletions(-)

diff --git a/public/domain_deprecated.te b/public/domain_deprecated.te
index 5c8c07eae..a17c105c6 100644
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te
@@ -1,24 +1,5 @@
 # rules removed from the domain attribute
 
-# Read files already opened under /data.
-allow domain_deprecated system_data_file:file { getattr read };
-allow domain_deprecated system_data_file:lnk_file r_file_perms;
-userdebug_or_eng(`
-auditallow {
-  domain_deprecated
-  -appdomain
-  -sdcardd
-  -system_server
-  -tee
-} system_data_file:file { getattr read };
-auditallow {
-  domain_deprecated
-  -appdomain
-  -system_server
-  -tee
-} system_data_file:lnk_file r_file_perms;
-')
-
 # Read apk files under /data/app.
 allow domain_deprecated apk_data_file:dir { getattr search };
 allow domain_deprecated apk_data_file:file r_file_perms;
diff --git a/public/installd.te b/public/installd.te
index 8440994e4..df14956c0 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -37,7 +37,7 @@ allow installd asec_image_file:file getattr;
 # and lib symlinks before the setfilecon call.  May want to
 # move symlink creation after setfilecon in installd.
 allow installd system_data_file:dir create_dir_perms;
-allow installd system_data_file:lnk_file { create setattr unlink };
+allow installd system_data_file:lnk_file { create getattr setattr unlink };
 
 # Upgrade /data/media for multi-user if necessary.
 allow installd media_rw_data_file:dir create_dir_perms;
diff --git a/public/runas.te b/public/runas.te
index 54c94c26b..44e8e3ab1 100644
--- a/public/runas.te
+++ b/public/runas.te
@@ -12,6 +12,7 @@ allow runas shell_data_file:file { read write };
 
 # run-as reads package information.
 allow runas system_data_file:file r_file_perms;
+allow runas system_data_file:lnk_file getattr;
 
 # run-as checks and changes to the app data dir.
 dontaudit runas self:capability dac_override;
diff --git a/public/vold.te b/public/vold.te
index f4a391693..7503d8f4f 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -100,6 +100,10 @@ allow vold efs_file:file rw_file_perms;
 
 # Create and mount on /data/tmp_mnt and management of expansion mounts
 allow vold system_data_file:dir { create rw_dir_perms mounton setattr rmdir };
+allow vold system_data_file:lnk_file getattr;
+
+# for secdiscard
+allow vold system_data_file:file read;
 
 # Set scheduling policy of kernel processes
 allow vold kernel:process setsched;
-- 
GitLab