DO NOT MERGE: domain_deprecate: remove observed audit messages

(cherry picked from commit 8486f4e6) Grant observed permissions Addresses: init avc: granted { use } for pid=1 comm="init" path="/sys/fs/selinux/null" dev="selinuxfs" ino=22 scontext=u:r:init:s0 tcontext=u:r:kernel:s0 tclass=fd mediaextractor avc: granted { getattr } for pid=582 comm="mediaextractor" path="/proc/meminfo" dev="proc" ino=4026535447 scontext=u:r:mediaextractor:s0 tcontext=u:object_r:proc_meminfo:s0 tclass=file avc: granted { read } for pid=582 comm="mediaextractor" name="meminfo" dev="proc" ino=4026535447 scontext=u:r:mediaextractor:s0 tcontext=u:object_r:proc_meminfo:s0 tclass=file avc: granted { read open } for pid=582 comm="mediaextractor" path="/proc/meminfo" dev="proc" ino=4026535447 scontext=u:r:mediaextractor:s0 tcontext=u:object_r:proc_meminfo:s0 tclass=file uncrypt avc: granted { getattr } for pid=6750 comm="uncrypt" path="/fstab.angler" dev="rootfs" ino=9809 scontext=u:r:uncrypt:s0 tcontext=u:object_r:rootfs:s0 tclass=file avc: granted { read } for pid=6750 comm="uncrypt" name="fstab.angler" dev="rootfs" ino=9809 scontext=u:r:uncrypt:s0 tcontext=u:object_r:rootfs:s0 tclass=file avc: granted { read open } for pid=6750 comm="uncrypt" path="/fstab.angler" dev="rootfs" ino=9809 scontext=u:r:uncrypt:s0 tcontext=u:object_r:rootfs:s0 tclass=file Bug: 28760354 Change-Id: Ibd51473c55d957aa7375de60da67cdc6504802f9

DO NOT MERGE: domain_deprecate: remove observed audit messages
3dfef1fd · Jeff Vander Stoep · Jeffrey Vander Stoep · fe8d6739 · 3dfef1fd · 3dfef1fd
Commit 3dfef1fd authored 8 years ago by Jeff Vander Stoep Committed by Jeffrey Vander Stoep 8 years ago
--- a/domain_deprecated.te
+++ b/domain_deprecated.te
 # rules removed from the domain attribute
 # Read access to properties mapping.
-allow { domain_deprecated -init } kernel:fd use;
+allow domain_deprecated kernel:fd use;
 allow domain_deprecated tmpfs:file { read getattr };
 allow domain_deprecated tmpfs:lnk_file { read getattr };
-auditallow domain_deprecated kernel:fd use;
+auditallow { domain_deprecated -init } kernel:fd use;
 auditallow { domain_deprecated -dex2oat } tmpfs:file { read getattr };
 auditallow domain_deprecated tmpfs:lnk_file { read getattr };
@@ -29,9 +29,9 @@ auditallow { domain_deprecated -appdomain -system_server } adbd:unix_stream_sock
 allow domain_deprecated rootfs:dir r_dir_perms;
 allow domain_deprecated rootfs:file r_file_perms;
 allow domain_deprecated rootfs:lnk_file r_file_perms;
-auditallow { domain_deprecated -healthd -init -installd -kernel -priv_app -servicemanager -system_server -ueventd -vold -zygote } rootfs:dir { open getattr read ioctl lock }; # search granted in domain
+auditallow { domain_deprecated -healthd -init -installd -kernel -priv_app -servicemanager -system_server -ueventd -uncrypt -vold -zygote } rootfs:dir { open getattr read ioctl lock }; # search granted in domain
-auditallow { domain_deprecated -healthd -init -installd -kernel -priv_app -servicemanager -system_server -ueventd -vold -zygote } rootfs:file r_file_perms;
+auditallow { domain_deprecated -healthd -init -installd -kernel -priv_app -servicemanager -system_server -ueventd -uncrypt -vold -zygote } rootfs:file r_file_perms;
-auditallow { domain_deprecated -appdomain -healthd -init -installd -kernel -priv_app -servicemanager -system_server -ueventd -vold -zygote } rootfs:lnk_file { getattr open ioctl lock }; # read granted in domain
+auditallow { domain_deprecated -appdomain -healthd -init -installd -kernel -priv_app -servicemanager -system_server -ueventd -uncrypt -vold -zygote } rootfs:lnk_file { getattr open ioctl lock }; # read granted in domain
 # Device accesses.
 allow domain_deprecated device:file read;
@@ -98,7 +98,7 @@ auditallow domain_deprecated inotify:dir r_dir_perms;
 auditallow domain_deprecated inotify:{ file lnk_file } r_file_perms;
 auditallow { domain_deprecated -appdomain -drmserver -fingerprintd -gatekeeperd -healthd -init -inputflinger -installd -keystore -logd -mediaextractor -mediaserver -netd -rild -surfaceflinger -system_server -zygote } cgroup:dir r_dir_perms;
 auditallow { domain_deprecated -appdomain -drmserver -fingerprintd -gatekeeperd -healthd -init -inputflinger -installd -keystore -logd -mediaextractor -mediaserver -netd -rild -surfaceflinger -system_server -zygote } cgroup:{ file lnk_file } r_file_perms;
-auditallow { domain_deprecated -appdomain -init -logd -priv_app -surfaceflinger -system_server -vold } proc_meminfo:file r_file_perms;
+auditallow { domain_deprecated -appdomain -init -logd -mediaextractor -priv_app -surfaceflinger -system_server -vold } proc_meminfo:file r_file_perms;
 auditallow { domain_deprecated -appdomain -clatd -init -logd -netd -system_server -vold -wpa -zygote } proc_net:dir { open getattr read ioctl lock }; # search granted in domain
 auditallow { domain_deprecated -appdomain -clatd -init -logd -netd -system_server -vold -wpa -zygote } proc_net:{ file lnk_file } r_file_perms;

--- a/mediaextractor.te
+++ b/mediaextractor.te
@@ -16,6 +16,7 @@ allow mediaextractor mediaextractor_service:service_manager add;
 allow mediaextractor system_server:fd use;
 r_dir_file(mediaextractor, cgroup)
+allow mediaextractor proc_meminfo:file r_file_perms;
 ###
 ### neverallow rules

--- a/uncrypt.te
+++ b/uncrypt.te
@@ -32,3 +32,5 @@ allow uncrypt block_device:dir r_dir_perms;
 # Access userdata block device.
 allow uncrypt userdata_block_device:blk_file w_file_perms;
+r_dir_file(uncrypt, rootfs)