From 7e86e19d587f3922ece9ac52bba0fdf64561a4de Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Tue, 6 Oct 2015 16:05:27 -0700
Subject: [PATCH] remove "allow vold block_device:blk_file create_file_perms;"

vold hasn't use the generic "block_device" label since
commit 273d7ea4ca29fbd71c2b01e69e2c5ebd1253470a (Sept 2014), and
the auditallow statement in vold hasn't triggered since that time.

Remove the rule which allows vold access to the generic block_device
label, and remove the vold exception.

Thanks to jorgelo for reminding me about this.

Change-Id: Idd6cdc20f5be9a40c5c8f6d43bbf902a475ba1c9
---
 domain.te | 2 +-
 vold.te   | 2 --
 2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/domain.te b/domain.te
index 38284e222..164cad0af 100644
--- a/domain.te
+++ b/domain.te
@@ -267,7 +267,7 @@ neverallow domain init:binder *;
 
 # Don't allow raw read/write/open access to block_device
 # Rather force a relabel to a more specific type
-neverallow { domain -kernel -init -recovery -vold -uncrypt } block_device:blk_file { open read write };
+neverallow { domain -kernel -init -recovery -uncrypt } block_device:blk_file { open read write };
 
 # Don't allow raw read/write/open access to generic devices.
 # Rather force a relabel to a more specific type.
diff --git a/vold.te b/vold.te
index 5abb2f95e..5ecb5033f 100644
--- a/vold.te
+++ b/vold.te
@@ -28,8 +28,6 @@ allow vold system_file:file x_file_perms;
 allow vold toolbox_exec:file rx_file_perms;
 auditallow vold toolbox_exec:file rx_file_perms;
 allow vold block_device:dir create_dir_perms;
-allow vold block_device:blk_file create_file_perms;
-auditallow vold block_device:blk_file create_file_perms;
 allow vold device:dir write;
 allow vold devpts:chr_file rw_file_perms;
 allow vold rootfs:dir mounton;
-- 
GitLab