From 2c8bf56f9698923641a0628bae37fe9b2033c0bb Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Fri, 30 May 2014 09:42:01 -0400
Subject: [PATCH] Only auditallow unlabeled accesses not allowed elsewhere.

https://android-review.googlesource.com/#/c/95900/ added further
unlabeled rules for installd and added explicit unlabeled rules for
vold and system_server.  Exclude these permissions from the auditallow
rules on unlabeled so that we only see the ones that would be denied if
we were to remove the allow domain rules here.

Change-Id: I2b9349ad6606bcb6a74a7e67343a8a9e5d70174c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 domain.te | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/domain.te b/domain.te
index e27797267..5464d86f0 100644
--- a/domain.te
+++ b/domain.te
@@ -150,11 +150,18 @@ allow domain { asec_public_file asec_apk_file }:dir r_dir_perms;
 #
 allow domain unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
 allow domain unlabeled:dir { create_dir_perms relabelfrom };
-auditallow { domain -init -installd } unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
-auditallow { domain -init -kernel -installd } unlabeled:dir { create_dir_perms relabelfrom };
+auditallow { domain -init -installd -vold -system_server } unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
+auditallow { domain -init -kernel -installd -vold -system_server } unlabeled:dir { create_dir_perms relabelfrom };
 auditallow kernel unlabeled:dir ~search;
-auditallow installd unlabeled:dir ~{ getattr search relabelfrom };
-auditallow installd unlabeled:notdevfile_class_set ~{ getattr relabelfrom };
+auditallow installd unlabeled:dir ~{ getattr search relabelfrom rw_dir_perms rmdir };
+auditallow installd unlabeled:file ~{ r_file_perms getattr relabelfrom rename unlink setattr };
+auditallow installd unlabeled:{ lnk_file sock_file fifo_file } ~{ getattr relabelfrom rename unlink setattr };
+auditallow vold unlabeled:dir ~{ r_dir_perms setattr relabelfrom };
+auditallow vold unlabeled:file ~{ r_file_perms setattr relabelfrom };
+auditallow vold unlabeled:{ lnk_file sock_file fifo_file } { create_file_perms relabelfrom };
+auditallow system_server unlabeled:dir ~r_dir_perms;
+auditallow system_server unlabeled:file ~r_file_perms;
+auditallow system_server unlabeled:{ lnk_file sock_file fifo_file } { create_file_perms relabelfrom };
 
 ###
 ### neverallow rules
-- 
GitLab