From b5594c2781c1bd03a083c77164f0809ed4a69422 Mon Sep 17 00:00:00 2001
From: Lorenzo Colitti <lorenzo@google.com>
Date: Wed, 2 Mar 2016 07:53:54 +0000
Subject: [PATCH] Revert "netd: restrict netd binder access to system_server"

This reverts commit 544579597eb0940050c59184f4b005b8feff02cd.

Change-Id: Idfa0254e66f9517cc26af3c37441b47cbb984bca
---
 domain.te     | 3 +--
 dumpstate.te  | 2 +-
 netd.te       | 6 +-----
 shell.te      | 2 +-
 system_app.te | 2 +-
 5 files changed, 5 insertions(+), 10 deletions(-)

diff --git a/domain.te b/domain.te
index 6aa69add0..9d377e50a 100644
--- a/domain.te
+++ b/domain.te
@@ -38,8 +38,7 @@ userdebug_or_eng(`
   allow domain su:fd use;
   allow domain su:unix_stream_socket { getattr getopt read write shutdown };
 
-  allow { domain -init } su:binder { call transfer };
-  allow { domain -init } su:fd use;
+  binder_call({ domain -init }, su)
 
   # Running something like "pm dump com.android.bluetooth" requires
   # fifo writes
diff --git a/dumpstate.te b/dumpstate.te
index ce099131e..f7a84f6bc 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -113,7 +113,7 @@ allow dumpstate tombstone_data_file:file r_file_perms;
 allow dumpstate cache_recovery_file:dir r_dir_perms;
 allow dumpstate cache_recovery_file:file r_file_perms;
 
-allow dumpstate { service_manager_type -gatekeeper_service -netd_service }:service_manager find;
+allow dumpstate { service_manager_type -gatekeeper_service }:service_manager find;
 allow dumpstate servicemanager:service_manager list;
 
 allow dumpstate devpts:chr_file rw_file_perms;
diff --git a/netd.te b/netd.te
index e3df2ba45..98a1a2a3c 100644
--- a/netd.te
+++ b/netd.te
@@ -57,6 +57,7 @@ set_prop(netd, ctl_mdnsd_prop)
 
 # Allow netd to publish a binder service and make binder calls.
 binder_use(netd)
+binder_service(netd)
 allow netd netd_service:service_manager add;
 
 # Allow netd to call into the system server so it can check permissions.
@@ -83,8 +84,3 @@ neverallow netd system_file:dir_file_class_set write;
 
 # Write to files in /data/data or system files on /data
 neverallow netd { app_data_file system_data_file }:dir_file_class_set write;
-
-# only system_server may interact with netd over binder
-neverallow { domain -system_server } netd_service:service_manager find;
-neverallow { domain -system_server } netd:binder call;
-neverallow netd { domain -system_server -servicemanager userdebug_or_eng(`-su') }:binder call;
diff --git a/shell.te b/shell.te
index d1c385b94..8076d460b 100644
--- a/shell.te
+++ b/shell.te
@@ -83,7 +83,7 @@ allow shell kernel:system syslog_read;
 # allow shell access to services
 allow shell servicemanager:service_manager list;
 # don't allow shell to access GateKeeper service
-allow shell { service_manager_type -gatekeeper_service -netd_service }:service_manager find;
+allow shell { service_manager_type -gatekeeper_service }:service_manager find;
 
 # allow shell to look through /proc/ for ps, top, netstat
 r_dir_file(shell, proc)
diff --git a/system_app.te b/system_app.te
index a07a9b9d8..5e66acd73 100644
--- a/system_app.te
+++ b/system_app.te
@@ -43,7 +43,7 @@ allow system_app anr_data_file:file create_file_perms;
 allow system_app asec_apk_file:file r_file_perms;
 
 allow system_app servicemanager:service_manager list;
-allow system_app { service_manager_type -netd_service }:service_manager find;
+allow system_app service_manager_type:service_manager find;
 
 allow system_app keystore:keystore_key {
 	get_state
-- 
GitLab