From ca5bb3371d01f5eb084046918d54bd34a4cbba2b Mon Sep 17 00:00:00 2001 From: Jeff Vander Stoep Date: Wed, 5 Jul 2017 22:17:46 -0700 Subject: [PATCH] domain_deprecated: remove tmpfs dir access Address "granted" audit messages for dumpstate use of df. avc: granted { getattr } for comm="df" path="/mnt" dev="tmpfs" scontext=u:r:dumpstate:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir avc: granted { search } for comm="df" name="/" dev="tmpfs" scontext=u:r:dumpstate:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir Bug: 28760354 Test: Build, check logs. Change-Id: I920948a5f0bce1b4bd2f15779730df8b3b1fea5a --- public/domain_deprecated.te | 16 ---------------- public/dumpstate.te | 2 +- 2 files changed, 1 insertion(+), 17 deletions(-) diff --git a/public/domain_deprecated.te b/public/domain_deprecated.te index f5231fbb3..f989ea1e7 100644 --- a/public/domain_deprecated.te +++ b/public/domain_deprecated.te @@ -1,21 +1,5 @@ # rules removed from the domain attribute -# Search /storage/emulated tmpfs mount. -allow { domain_deprecated -installd } tmpfs:dir r_dir_perms; -userdebug_or_eng(` -auditallow { - domain_deprecated - -appdomain - -installd - -recovery - -sdcardd - -surfaceflinger - -system_server - -vold - -zygote -} tmpfs:dir r_dir_perms; -') - # Root fs. allow domain_deprecated rootfs:dir r_dir_perms; allow domain_deprecated rootfs:file r_file_perms; diff --git a/public/dumpstate.te b/public/dumpstate.te index ee27cbee7..66eaa1f2c 100644 --- a/public/dumpstate.te +++ b/public/dumpstate.te @@ -82,7 +82,7 @@ allow dumpstate sysfs_usb:file w_file_perms; allow dumpstate qtaguid_proc:file r_file_perms; allow dumpstate debugfs:file r_file_perms; # df for /storage/emulated needs search -allow dumpstate { storage_file block_device }:dir { search getattr }; +allow dumpstate { block_device storage_file tmpfs }:dir { search getattr }; allow dumpstate fuse_device:chr_file getattr; allow dumpstate { dm_device cache_block_device }:blk_file getattr;