From 349368244cb2c76d4b394035b8b7488f4f46bdd2 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Sat, 23 Apr 2016 11:14:06 -0700
Subject: [PATCH] reduce duplicate SELinux rules

When using domain_trans(init, foo_exec, foo), don't add the
following rule:

  allow foo init:process sigchld;

This is already allowed for all domains in domain.te:

  # Allow reaping by init.
  allow domain init:process sigchld;

So adding it over and over again is redundant and bloats the
policy. More specifically, when I run:

  sepolicy-analyze out/target/product/bullhead/root/sepolicy dups

this change reduces the number of duplicate policy statements
from 461 to 389.

Change-Id: I8632e5649a54f63eb1f79ea6405c4b3f515f544c
---
 system_server.te | 3 ---
 te_macros        | 2 +-
 ueventd.te       | 1 -
 3 files changed, 1 insertion(+), 5 deletions(-)

diff --git a/system_server.te b/system_server.te
index 7baf3ee4a..c2b72bfe1 100644
--- a/system_server.te
+++ b/system_server.te
@@ -111,9 +111,6 @@ allow system_server node:rawip_socket node_bind;
 # 3rd party VPN clients require a tun_socket to be created
 allow system_server self:tun_socket create_socket_perms;
 
-# Notify init of death.
-allow system_server init:process sigchld;
-
 # Talk to init and various daemons via sockets.
 unix_socket_connect(system_server, installd, installd)
 unix_socket_connect(system_server, lmkd, lmkd)
diff --git a/te_macros b/te_macros
index 84af301eb..9600b5273 100644
--- a/te_macros
+++ b/te_macros
@@ -13,7 +13,7 @@ allow $1 $3:process transition;
 # New domain is entered by executing the file.
 allow $3 $2:file { entrypoint open read execute getattr };
 # New domain can send SIGCHLD to its caller.
-allow $3 $1:process sigchld;
+ifelse($1, `init', `', `allow $3 $1:process sigchld;')
 # Enable AT_SECURE, i.e. libc secure mode.
 dontaudit $1 $3:process noatsecure;
 # XXX dontaudit candidate but requires further study.
diff --git a/ueventd.te b/ueventd.te
index f67c0db86..e44620728 100644
--- a/ueventd.te
+++ b/ueventd.te
@@ -8,7 +8,6 @@ tmpfs_domain(ueventd)
 type_transition ueventd device:chr_file klog_device "__kmsg__";
 allow ueventd klog_device:chr_file { create open write unlink };
 
-allow ueventd init:process sigchld;
 allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
 allow ueventd device:file create_file_perms;
 allow ueventd device:chr_file rw_file_perms;
-- 
GitLab