Merge "Installd doesn't need to create cgroup files." into pi-dev

956aba8f · Alan Stokes · Android (Google) Code Review · 404bd982 · 8e8c1093 · 956aba8f
Commit 956aba8f authored 6 years ago by Alan Stokes Committed by Android (Google) Code Review 6 years ago
--- a/private/init.te
+++ b/private/init.te
@@ -20,13 +20,3 @@ domain_trans(init, { rootfs toolbox_exec }, modprobe)
 userdebug_or_eng(`
  domain_auto_trans(init, logcat_exec, logpersist)
 ')
-
-# Creating files on sysfs is impossible so this isn't a threat
-# Sometimes we have to write to non-existent files to avoid conditional
-# init behavior. See b/35303861 for an example.
-dontaudit init sysfs:dir write;
-
-# Suppress false positives when using O_CREAT
-# to open a file that already exists.
-# There's a neverallow rule for this in domain.te
-dontaudit init cgroup:file create;
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -134,8 +134,3 @@ neverallow zygote {

 # Do not allow access to Bluetooth-related system properties and files
 neverallow zygote bluetooth_prop:file create_file_perms;
-
-# Suppress false positives when using O_CREAT
-# to open a file that already exists.
-# There's a neverallow rule for this in domain.te
-dontaudit zygote cgroup:file create;
--- a/public/domain.te
+++ b/public/domain.te
@@ -1329,23 +1329,23 @@ neverallow {
 } self:capability dac_override;
 neverallow { domain -traced_probes } self:capability dac_read_search;

-# If an already existing file is opened with O_CREATE, the kernel might generate
+# If an already existing file is opened with O_CREAT, the kernel might generate
 # a false report of a create denial. Silence these denials and make sure that
 # inappropriate permissions are not granted.
+
+# These filesystems don't allow files or directories to be created, so the permission
+# to do so should never be granted.
 neverallow domain {
  proc_type
  sysfs_type
 }:dir { add_name create link remove_name rename reparent rmdir write };

-# cgroupfs directories can be created, but not files within them
-# TODO(b/74182216): Remove the installd allow when we're sure it's not used
-neverallow {
-  domain
-  -installd
-} cgroup:file create;
+# cgroupfs directories can be created, but not files within them.
+neverallow domain cgroup:file create;

 dontaudit domain proc_type:dir write;
 dontaudit domain sysfs_type:dir write;
+dontaudit domain cgroup:file create;

 # These are only needed in permissive mode - in enforcing mode the
 # directory write check fails and so these are never attempted.

--- a/public/init.te
+++ b/public/init.te
@@ -326,11 +326,6 @@ allow init {
 # Allow init to write to vibrator/trigger
 allow init sysfs_vibrator:file w_file_perms;

-# Creating files on sysfs is impossible so this isn't a threat.
-# We may write to a non-existent file to avoid conditional
-# init behavior.
-dontaudit init sysfs_vibrator:dir write;
-
 # init chmod/chown access to /sys files.
 allow init {
  sysfs_android_usb

--- a/public/installd.te
+++ b/public/installd.te
@@ -19,7 +19,6 @@ allow installd apk_tmp_file:dir { relabelfrom create_dir_perms };
 allow installd oemfs:dir r_dir_perms;
 allow installd oemfs:file r_file_perms;
 allow installd cgroup:dir create_dir_perms;
-allow installd cgroup:{ file lnk_file } create_file_perms;
 allow installd mnt_expand_file:dir { search getattr };
 # Check validity of SELinux context before use.
 selinux_check_context(installd)