am 29854d6d: am 02dac03a: Drop relabelto_domain() macro and its associated definitions.

* commit '29854d6d': Drop relabelto_domain() macro and its associated definitions.

am 29854d6d: am 02dac03a: Drop relabelto_domain() macro and its associated definitions.
c452e74b · Stephen Smalley · Android Git Automerger · 1b6c4ea2 · 29854d6d · c452e74b
Commit c452e74b authored 11 years ago by Stephen Smalley Committed by Android Git Automerger 11 years ago
--- a/attributes
+++ b/attributes
@@ -64,6 +64,3 @@ attribute bluetoothdomain;

 # All domains used for binder service domains.
 attribute binderservicedomain;
-
-# All domains which are allowed the "relabelto" permission
-attribute relabeltodomain;
--- a/debuggerd.te
+++ b/debuggerd.te
@@ -12,7 +12,6 @@ allow debuggerd { domain -init -ueventd -watchdogd -healthd -adbd }:process ptra
 security_access_policy(debuggerd)
 allow debuggerd system_data_file:dir create_dir_perms;
 allow debuggerd system_data_file:dir relabelfrom;
-relabelto_domain(debuggerd)
 allow debuggerd tombstone_data_file:dir relabelto;
 allow debuggerd tombstone_data_file:dir create_dir_perms;
 allow debuggerd tombstone_data_file:file create_file_perms;

--- a/domain.te
+++ b/domain.te
@@ -146,9 +146,6 @@ allow domain { asec_public_file asec_apk_file }:dir r_dir_perms;
 ### neverallow rules
 ###

-# Limit ability to relabel files to domains marked with relabelto_domain().
-neverallow { domain -relabeltodomain } *:dir_file_class_set relabelto;
-
 # Limit ability to ptrace or read sensitive /proc/pid files of processes
 # with other UIDs to these whitelisted domains.
 neverallow { domain -debuggerd -vold -dumpstate -system_server } self:capability sys_ptrace;

--- a/dumpstate.te
+++ b/dumpstate.te
@@ -5,7 +5,6 @@ type dumpstate_exec, exec_type, file_type;

 init_daemon_domain(dumpstate)
 net_domain(dumpstate)
-relabelto_domain(dumpstate)
 binder_use(dumpstate)

 # Drop privileges by switching UID / GID

--- a/init.te
+++ b/init.te
@@ -3,7 +3,6 @@ type init, domain;
 # init is unconfined.
 unconfined_domain(init)
 tmpfs_domain(init)
-relabelto_domain(init)
 # add a rule to handle unlabelled mounts
 allow init unlabeled:filesystem mount;


--- a/installd.te
+++ b/installd.te
@@ -3,7 +3,6 @@ type installd, domain;
 type installd_exec, exec_type, file_type;

 init_daemon_domain(installd)
-relabelto_domain(installd)
 typeattribute installd mlstrustedsubject;
 allow installd self:capability { chown dac_override fowner fsetid setgid setuid };
 allow installd system_data_file:file create_file_perms;

--- a/kernel.te
+++ b/kernel.te
@@ -5,7 +5,6 @@ allow kernel init:process dyntransition;

 # The kernel is unconfined.
 unconfined_domain(kernel)
-relabelto_domain(kernel)

 allow kernel {fs_type dev_type file_type}:dir_file_class_set relabelto;
 allow kernel unlabeled:filesystem mount;

--- a/recovery.te
+++ b/recovery.te
@@ -2,7 +2,6 @@
 type recovery, domain;
 allow recovery rootfs:file entrypoint;
 unconfined_domain(recovery)
-relabelto_domain(recovery)

 allow recovery self:capability2 mac_admin;


--- a/system_server.te
+++ b/system_server.te
@@ -175,7 +175,6 @@ allow system_server { data_file_type -keystore_data_file }:notdevfile_class_set
 security_access_policy(system_server)

 # Relabel apk files.
-relabelto_domain(system_server)
 allow system_server { apk_tmp_file apk_private_tmp_file }:file { relabelfrom relabelto };
 allow system_server { apk_data_file apk_private_data_file }:file { relabelfrom relabelto };


--- a/te_macros
+++ b/te_macros
@@ -111,13 +111,6 @@ tmpfs_domain($1)
 allow $1 $1_tmpfs:file execute;
 ')

-#####################################
-# relabelto_domain(domain)
-# Allows this domain to use the relabelto permission
-define(`relabelto_domain', `
-typeattribute $1 relabeltodomain;
-')
-
 #####################################
 # net_domain(domain)
 # Allow a base set of permissions required for network access.

--- a/ueventd.te
+++ b/ueventd.te
@@ -4,7 +4,6 @@ type ueventd, domain;
 tmpfs_domain(ueventd)
 write_klog(ueventd)
 security_access_policy(ueventd)
-relabelto_domain(ueventd)
 allow ueventd rootfs:file entrypoint;
 allow ueventd init:process sigchld;
 allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };

--- a/vold.te
+++ b/vold.te
@@ -71,7 +71,6 @@ allow vold ctl_fuse_prop:property_service set;
 allow vold asec_image_file:file create_file_perms;
 allow vold asec_image_file:dir rw_dir_perms;
 security_access_policy(vold)
-relabelto_domain(vold)
 allow vold asec_apk_file:dir { rw_dir_perms setattr relabelfrom };
 allow vold asec_public_file:dir { relabelto setattr };
 allow vold asec_apk_file:file { r_file_perms setattr relabelfrom };