From 5ce079b9165c18a5bd27b853e82478de8d9e0a7b Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Fri, 16 May 2014 17:45:01 -0700
Subject: [PATCH] Bring back the unlabeled allowall rules

On an upgrade from 4.2 to tip-of-tree master, there are still a
number of files which aren't properly labeled. Restore the
unlabeled compat rules until we can get everything properly
labeled. It's not ideal, but it works around the immediate
problem.

After applying https://android-review.googlesource.com/94966 ,
I'm still seeing the following denials.

<4>[   12.040639] type=1400 audit(1400289656.430:4): avc:  denied  { read } for  pid=143 comm="installd" name="0" dev=mmcblk0p9 ino=32194 scontext=u:r:installd:s0 tcontext=u:object_r:unlabeled:s0 tclass=lnk_file
<4>[  168.289170] type=1400 audit(1400289812.680:5): avc:  denied  { getattr } for  pid=1079 comm="system_server" path="/data/data/com.android.backupconfirm" dev=mmcblk0p9 ino=112676 scontext=u:r:system_server:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir
<4>[  169.088406] type=1400 audit(1400289813.480:6): avc:  denied  { read } for  pid=143 comm="installd" name="com.android.location.fused" dev=mmcblk0p9 ino=112720 scontext=u:r:installd:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir
<4>[  169.088790] type=1400 audit(1400289813.480:7): avc:  denied  { open } for  pid=143 comm="installd" name="com.android.location.fused" dev=mmcblk0p9 ino=112720 scontext=u:r:installd:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir
<4>[  169.089205] type=1400 audit(1400289813.480:8): avc:  denied  { write } for  pid=143 comm="installd" name="com.android.location.fused" dev=mmcblk0p9 ino=112720 scontext=u:r:installd:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir
<4>[  169.089615] type=1400 audit(1400289813.480:9): avc:  denied  { remove_name } for  pid=143 comm="installd" name="lib" dev=mmcblk0p9 ino=112721 scontext=u:r:installd:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir
<4>[  169.090024] type=1400 audit(1400289813.480:10): avc:  denied  { unlink } for  pid=143 comm="installd" name="lib" dev=mmcblk0p9 ino=112721 scontext=u:r:installd:s0 tcontext=u:object_r:unlabeled:s0 tclass=lnk_file
<4>[  169.090350] type=1400 audit(1400289813.480:11): avc:  denied  { rmdir } for  pid=143 comm="installd" name="com.android.renderscript.cache" dev=mmcblk0p9 ino=112902 scontext=u:r:installd:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir
<4>[  171.875822] type=1400 audit(1400289816.260:12): avc:  denied  { unlink } for  pid=143 comm="installd" name="8882B60ADE91B9E4.toc" dev=mmcblk0p9 ino=112903 scontext=u:r:installd:s0 tcontext=u:object_r:unlabeled:s0 tclass=file
<4>[  180.615263] type=1400 audit(1400289825.000:13): avc:  denied  { rename } for  pid=143 comm="installd" name="BackupTransport.backupScheduler.xml" dev=mmcblk0p9 ino=112852 scontext=u:r:installd:s0 tcontext=u:object_r:unlabeled:s0 tclass=file
<4>[  180.615578] type=1400 audit(1400289825.000:14): avc:  denied  { setattr } for  pid=143 comm="installd" name="BackupTransport.backupScheduler.xml" dev=mmcblk0p9 ino=112852 scontext=u:r:installd:s0 tcontext=u:object_r:unlabeled:s0 tclass=file
<4>[  393.934310] type=1400 audit(1400290038.320:15): avc:  denied  { read } for  pid=2410 comm="d.process.acore" name="0" dev=mmcblk0p9 ino=32194 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:unlabeled:s0 tclass=lnk_file
<4>[  399.370936] type=1400 audit(1400290043.760:16): avc:  denied  { read } for  pid=2998 comm="SharedPreferenc" name="BackupTransport.backupScheduler.xml" dev=mmcblk0p9 ino=112852 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:unlabeled:s0 tclass=file
<4>[  399.371792] type=1400 audit(1400290043.760:17): avc:  denied  { getattr } for  pid=2998 comm="SharedPreferenc" path="/data/data/com.google.android.backuptransport/shared_prefs/BackupTransport.backupScheduler.xml" dev=mmcblk0p9 ino=112852 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:unlabeled:s0 tclass=file
<4>[  399.372219] type=1400 audit(1400290043.760:18): avc:  denied  { open } for  pid=2998 comm="SharedPreferenc" name="BackupTransport.backupScheduler.xml" dev=mmcblk0p9 ino=112852 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:unlabeled:s0 tclass=file

Change-Id: I65dcfa8e77a63cb61551a1010358f0e45956dbbf
---
 domain.te | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/domain.te b/domain.te
index b8ddc2e18..0bd9ad08e 100644
--- a/domain.te
+++ b/domain.te
@@ -142,6 +142,18 @@ allow domain security_file:lnk_file r_file_perms;
 allow domain asec_public_file:file r_file_perms;
 allow domain { asec_public_file asec_apk_file }:dir r_dir_perms;
 
+######## Backwards compatibility - Unlabeled files ############
+
+# Revert to DAC rules when looking at unlabeled files. Over time, the number
+# of unlabeled files should decrease.
+# TODO: delete these rules in the future.
+#
+allow domain unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
+allow domain unlabeled:dir { create_dir_perms relabelfrom };
+auditallow { domain -init } unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
+auditallow { domain -init -kernel } unlabeled:dir { create_dir_perms relabelfrom };
+auditallow kernel unlabeled:dir ~search;
+
 ###
 ### neverallow rules
 ###
-- 
GitLab