Remove -kernel -recovery from keystore_data_file neverallow.

Aside from the keystore daemon itself, only init needs any access to keystore_data_file (in order to create and potentially restorecon /data/misc/keystore). The exceptions for the kernel and recovery domains are unnecessary; no allow rule permits this access in current policy. Change-Id: I5cf6f29ec08174017ac8f5fb36fef166ce360ca0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Remove -kernel -recovery from keystore_data_file neverallow.
d4731ad8 · Stephen Smalley · 0d08d472 · d4731ad8
Commit d4731ad8 authored 10 years ago by Stephen Smalley
--- a/keystore.te
+++ b/keystore.te
@@ -21,8 +21,8 @@ allow keystore tee:unix_stream_socket connectto;
 neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto };
 neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr };

-neverallow { domain -keystore -init -kernel -recovery } keystore_data_file:dir *;
-neverallow { domain -keystore -init -kernel -recovery } keystore_data_file:notdevfile_class_set *;
+neverallow { domain -keystore -init } keystore_data_file:dir *;
+neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *;

 neverallow domain keystore:process ptrace;