From d496ea7a61fafc7d473f91a79a5e351373e29b98 Mon Sep 17 00:00:00 2001
From: Howard Ro <yro@google.com>
Date: Sat, 16 Dec 2017 02:22:23 +0000
Subject: [PATCH] Revert "Setting up SELinux policy for statsd and stats
service"
This reverts commit 5744cbdf8d687d72e7cc363441627e3f1660c8f6.
Reason for revert: aosp_dragon-userdebug build broken
Change-Id: I5f8180273c32119ae9839f31610bbca37cd05c65
---
private/compat/26.0/26.0.ignore.cil | 7 ---
private/file.te | 3 --
private/file_contexts | 4 --
private/service.te | 2 -
private/service_contexts | 1 -
private/stats.te | 25 ----------
private/statsd.te | 72 -----------------------------
private/system_server.te | 4 +-
public/service.te | 1 +
9 files changed, 3 insertions(+), 116 deletions(-)
delete mode 100644 private/service.te
delete mode 100644 private/stats.te
delete mode 100644 private/statsd.te
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 48b4594d9..927296d2a 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -28,13 +28,6 @@
package_native_service
property_info
slice_service
- stats
- stats_data_file
- stats_exec
- stats_service
- statsd
- statsd_exec
- statsd_tmpfs
statscompanion_service
storaged_data_file
sysfs_fs_ext4_features
diff --git a/private/file.te b/private/file.te
index 5ff77680e..5b4dbc804 100644
--- a/private/file.te
+++ b/private/file.te
@@ -1,9 +1,6 @@
# /proc/config.gz
type config_gz, fs_type;
-# /data/misc/stats-data, /data/misc/stats-service
-type stats_data_file, file_type, data_file_type, core_data_file_type;
-
# /data/misc/storaged
type storaged_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index c93985345..ad6a9222d 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -277,8 +277,6 @@
/system/bin/vr_hwc u:object_r:vr_hwc_exec:s0
/system/bin/adbd u:object_r:adbd_exec:s0
/system/bin/vold_prepare_subdirs u:object_r:vold_prepare_subdirs_exec:s0
-/system/bin/stats u:object_r:stats_exec:s0
-/system/bin/statsd u:object_r:statsd_exec:s0
#############################
# Vendor files
@@ -386,8 +384,6 @@
/data/misc/recovery(/.*)? u:object_r:recovery_data_file:s0
/data/misc/shared_relro(/.*)? u:object_r:shared_relro_file:s0
/data/misc/sms(/.*)? u:object_r:radio_data_file:s0
-/data/misc/stats-data(/.*)? u:object_r:stats_data_file:s0
-/data/misc/stats-service(/.*)? u:object_r:stats_data_file:s0
/data/misc/systemkeys(/.*)? u:object_r:systemkeys_data_file:s0
/data/misc/textclassifier(/.*)? u:object_r:textclassifier_data_file:s0
/data/misc/user(/.*)? u:object_r:misc_user_data_file:s0
diff --git a/private/service.te b/private/service.te
deleted file mode 100644
index 3fec8825a..000000000
--- a/private/service.te
+++ /dev/null
@@ -1,2 +0,0 @@
-type stats_service, service_manager_type;
-type statscompanion_service, system_server_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index 6a8843fc0..6451ffced 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -142,7 +142,6 @@ simphonebook2 u:object_r:radio_service:s0
simphonebook u:object_r:radio_service:s0
sip u:object_r:radio_service:s0
slice u:object_r:slice_service:s0
-stats u:object_r:stats_service:s0
statscompanion u:object_r:statscompanion_service:s0
soundtrigger u:object_r:voiceinteraction_service:s0
statusbar u:object_r:statusbar_service:s0
diff --git a/private/stats.te b/private/stats.te
deleted file mode 100644
index be8cfbd25..000000000
--- a/private/stats.te
+++ /dev/null
@@ -1,25 +0,0 @@
-type stats, domain;
-typeattribute stats coredomain;
-type stats_exec, exec_type, file_type;
-
-# switch to stats domain for stats command
-domain_auto_trans(shell, stats_exec, stats)
-
-# allow stats access to stdout from its parent shell.
-allow stats shell:fd use;
-
-# allow stats to communicate use, read and write over the adb
-# connection.
-allow stats adbd:fd use;
-allow stats adbd:unix_stream_socket { read write };
-
-# allow adbd to reap stats
-allow stats adbd:process { sigchld };
-
-# Allow the stats command to talk to the statsd over the binder, and get
-# back the stats report data from a ParcelFileDescriptor.
-binder_use(stats)
-allow stats stats_service:service_manager find;
-binder_call(stats, statsd)
-allow stats statsd:fifo_file write;
-
diff --git a/private/statsd.te b/private/statsd.te
deleted file mode 100644
index 82691d3a3..000000000
--- a/private/statsd.te
+++ /dev/null
@@ -1,72 +0,0 @@
-type statsd, domain;
-typeattribute statsd coredomain;
-
-init_daemon_domain(statsd)
-
-type statsd_exec, exec_type, file_type;
-binder_use(statsd)
-
-# Allow statsd to scan through /proc/pid for all processes.
-r_dir_file(statsd, domain)
-
-# Allow executing files on system, such as running a shell or running:
-# /system/bin/toolbox
-# /system/bin/logcat
-# /system/bin/dumpsys
-allow statsd shell_exec:file rx_file_perms;
-allow statsd system_file:file execute_no_trans;
-allow statsd toolbox_exec:file rx_file_perms;
-
-# Create, read, and write into /data/misc/stats-data, /data/misc/stats-system.
-allow statsd stats_data_file:dir create_dir_perms;
-allow statsd stats_data_file:file create_file_perms;
-
-# Allow statsd to make binder calls to any binder service.
-binder_call(statsd, appdomain)
-binder_call(statsd, incidentd)
-binder_call(statsd, statscompanion_service)
-
-# Allow logd access.
-read_logd(statsd)
-control_logd(statsd)
-
-# Grant statsd with permissions to register the services.
-allow statsd {
- statscompanion_service
- app_api_service
- system_api_service
-}:service_manager find;
-
-# Only statsd can publish the binder service.
-add_service(statsd, stats_service)
-
-# Allow pipes from (and only from) stats.
-allow statsd stats:fd use;
-allow statsd stats:fifo_file write;
-
-# Allow statsd to call back to stats with status updates.
-binder_call(statsd, stats)
-
-###
-### neverallow rules
-###
-
-# Only system_server, system_app, and stats command can find the stats service.
-neverallow {
- domain
- -dumpstate
- -shell
- -stats
- -statsd
- -system_app
- -system_server
-} stats_service:service_manager find;
-
-# Only statsd and the other root services in limited circumstances.
-# can get to the files in /data/misc/stats-data, /data/misc/stats-service.
-# Other services are prohibitted from accessing the file.
-neverallow { domain -statsd -init -vold -vendor_init } stats_data_file:file *;
-
-# Limited access to the directory itself.
-neverallow { domain -statsd -init -vold -vendor_init } stats_data_file:dir *;
-
diff --git a/private/system_server.te b/private/system_server.te
index 7d7a1a689..7b0aad150 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -169,7 +169,6 @@ binder_call(system_server, gatekeeperd)
binder_call(system_server, installd)
binder_call(system_server, incidentd)
binder_call(system_server, netd)
-binder_call(system_server, statsd)
binder_call(system_server, storaged)
binder_call(system_server, vold)
binder_call(system_server, wificond)
@@ -579,7 +578,6 @@ allow system_server mediadrmserver_service:service_manager find;
allow system_server netd_service:service_manager find;
allow system_server nfc_service:service_manager find;
allow system_server radio_service:service_manager find;
-allow system_server stats_service:service_manager find;
allow system_server storaged_service:service_manager find;
allow system_server surfaceflinger_service:service_manager find;
allow system_server vold_service:service_manager find;
@@ -802,3 +800,5 @@ neverallow system_server { domain -system_server }:process ptrace;
# file read access. However, that is now unnecessary (b/34951864)
neverallow system_server system_server:global_capability_class_set sys_resource;
+# TODO(b/67468181): Remove following lines upon resolution of this bug
+dontaudit system_server statscompanion_service:service_manager { add find };
diff --git a/public/service.te b/public/service.te
index b421c97d3..6dec274a0 100644
--- a/public/service.te
+++ b/public/service.te
@@ -21,6 +21,7 @@ type mediadrmserver_service, service_manager_type;
type netd_service, service_manager_type;
type nfc_service, service_manager_type;
type radio_service, service_manager_type;
+type statscompanion_service, service_manager_type;
type storaged_service, service_manager_type;
type surfaceflinger_service, app_api_service, ephemeral_app_api_service, service_manager_type;
type system_app_service, service_manager_type;
--
GitLab