From 8486f4e601bee17126f15d3be0b15fc4ca06b25c Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Tue, 7 Jun 2016 13:43:37 -0700
Subject: [PATCH] domain_deprecate: remove observed audit messages

Grant observed permissions

Addresses:
init
avc:  granted  { use } for  pid=1 comm="init" path="/sys/fs/selinux/null" dev="selinuxfs" ino=22 scontext=u:r:init:s0 tcontext=u:r:kernel:s0 tclass=fd

mediaextractor
avc: granted { getattr } for pid=582 comm="mediaextractor" path="/proc/meminfo" dev="proc" ino=4026535447 scontext=u:r:mediaextractor:s0 tcontext=u:object_r:proc_meminfo:s0 tclass=file
avc: granted { read } for pid=582 comm="mediaextractor" name="meminfo" dev="proc" ino=4026535447 scontext=u:r:mediaextractor:s0 tcontext=u:object_r:proc_meminfo:s0 tclass=file
avc: granted { read open } for pid=582 comm="mediaextractor" path="/proc/meminfo" dev="proc" ino=4026535447 scontext=u:r:mediaextractor:s0 tcontext=u:object_r:proc_meminfo:s0 tclass=file

uncrypt
avc: granted { getattr } for pid=6750 comm="uncrypt" path="/fstab.angler" dev="rootfs" ino=9809 scontext=u:r:uncrypt:s0 tcontext=u:object_r:rootfs:s0 tclass=file
avc: granted { read } for pid=6750 comm="uncrypt" name="fstab.angler" dev="rootfs" ino=9809 scontext=u:r:uncrypt:s0 tcontext=u:object_r:rootfs:s0 tclass=file
avc: granted { read open } for pid=6750 comm="uncrypt" path="/fstab.angler" dev="rootfs" ino=9809 scontext=u:r:uncrypt:s0 tcontext=u:object_r:rootfs:s0 tclass=file

Bug: 28760354
Change-Id: Ibd51473c55d957aa7375de60da67cdc6504802f9
---
 domain_deprecated.te | 12 ++++++------
 mediaextractor.te    |  1 +
 uncrypt.te           |  2 ++
 3 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/domain_deprecated.te b/domain_deprecated.te
index 2501345e8..fb115af67 100644
--- a/domain_deprecated.te
+++ b/domain_deprecated.te
@@ -1,10 +1,10 @@
 # rules removed from the domain attribute
 
 # Read access to properties mapping.
-allow { domain_deprecated -init } kernel:fd use;
+allow domain_deprecated kernel:fd use;
 allow domain_deprecated tmpfs:file { read getattr };
 allow domain_deprecated tmpfs:lnk_file { read getattr };
-auditallow domain_deprecated kernel:fd use;
+auditallow { domain_deprecated -init } kernel:fd use;
 auditallow { domain_deprecated -dex2oat } tmpfs:file { read getattr };
 auditallow domain_deprecated tmpfs:lnk_file { read getattr };
 
@@ -29,9 +29,9 @@ auditallow { domain_deprecated -appdomain -system_server } adbd:unix_stream_sock
 allow domain_deprecated rootfs:dir r_dir_perms;
 allow domain_deprecated rootfs:file r_file_perms;
 allow domain_deprecated rootfs:lnk_file r_file_perms;
-auditallow { domain_deprecated -healthd -init -installd -kernel -priv_app -servicemanager -system_server -ueventd -vold -zygote } rootfs:dir { open getattr read ioctl lock }; # search granted in domain
-auditallow { domain_deprecated -healthd -init -installd -kernel -priv_app -servicemanager -system_server -ueventd -vold -zygote } rootfs:file r_file_perms;
-auditallow { domain_deprecated -appdomain -healthd -init -installd -kernel -priv_app -servicemanager -system_server -ueventd -vold -zygote } rootfs:lnk_file { getattr open ioctl lock }; # read granted in domain
+auditallow { domain_deprecated -healthd -init -installd -kernel -priv_app -servicemanager -system_server -ueventd -uncrypt -vold -zygote } rootfs:dir { open getattr read ioctl lock }; # search granted in domain
+auditallow { domain_deprecated -healthd -init -installd -kernel -priv_app -servicemanager -system_server -ueventd -uncrypt -vold -zygote } rootfs:file r_file_perms;
+auditallow { domain_deprecated -appdomain -healthd -init -installd -kernel -priv_app -servicemanager -system_server -ueventd -uncrypt -vold -zygote } rootfs:lnk_file { getattr open ioctl lock }; # read granted in domain
 
 # Device accesses.
 allow domain_deprecated device:file read;
@@ -98,7 +98,7 @@ auditallow domain_deprecated inotify:dir r_dir_perms;
 auditallow domain_deprecated inotify:{ file lnk_file } r_file_perms;
 auditallow { domain_deprecated -appdomain -drmserver -fingerprintd -gatekeeperd -healthd -init -inputflinger -installd -keystore -logd -mediaextractor -mediaserver -netd -rild -surfaceflinger -system_server -zygote } cgroup:dir r_dir_perms;
 auditallow { domain_deprecated -appdomain -drmserver -fingerprintd -gatekeeperd -healthd -init -inputflinger -installd -keystore -logd -mediaextractor -mediaserver -netd -rild -surfaceflinger -system_server -zygote } cgroup:{ file lnk_file } r_file_perms;
-auditallow { domain_deprecated -appdomain -init -logd -priv_app -surfaceflinger -system_server -vold } proc_meminfo:file r_file_perms;
+auditallow { domain_deprecated -appdomain -init -logd -mediaextractor -priv_app -surfaceflinger -system_server -vold } proc_meminfo:file r_file_perms;
 auditallow { domain_deprecated -appdomain -clatd -init -logd -netd -system_server -vold -wpa -zygote } proc_net:dir { open getattr read ioctl lock }; # search granted in domain
 auditallow { domain_deprecated -appdomain -clatd -init -logd -netd -system_server -vold -wpa -zygote } proc_net:{ file lnk_file } r_file_perms;
 
diff --git a/mediaextractor.te b/mediaextractor.te
index 38ca2750e..7b873d621 100644
--- a/mediaextractor.te
+++ b/mediaextractor.te
@@ -16,6 +16,7 @@ allow mediaextractor mediaextractor_service:service_manager add;
 allow mediaextractor system_server:fd use;
 
 r_dir_file(mediaextractor, cgroup)
+allow mediaextractor proc_meminfo:file r_file_perms;
 
 ###
 ### neverallow rules
diff --git a/uncrypt.te b/uncrypt.te
index d2bad539c..308e0f629 100644
--- a/uncrypt.te
+++ b/uncrypt.te
@@ -36,3 +36,5 @@ allow uncrypt block_device:dir r_dir_perms;
 
 # Access userdata block device.
 allow uncrypt userdata_block_device:blk_file w_file_perms;
+
+r_dir_file(uncrypt, rootfs)
-- 
GitLab