Leftovers of SELinux policy reload mechanism
Remove references to /data/security and the corresponding
type securitly_file.
Bug: 26544104
Change-Id: Iac00c293daa6b781a24c2bd4c12168dfb1cceac6
diff --git a/app.te b/app.te
index 37f2bc2..a91d75a 100644
--- a/app.te
+++ b/app.te
@@ -405,6 +405,5 @@
dev_type
rootfs
system_file
- security_file
tmpfs
}:lnk_file no_w_file_perms;
diff --git a/debuggerd.te b/debuggerd.te
index 127b793..04dcb79 100644
--- a/debuggerd.te
+++ b/debuggerd.te
@@ -10,7 +10,6 @@
allow debuggerd domain:file r_file_perms;
allow debuggerd domain:lnk_file read;
allow debuggerd { domain -init -ueventd -watchdogd -healthd -adbd -keystore }:process { ptrace getattr };
-security_access_policy(debuggerd)
allow debuggerd tombstone_data_file:dir rw_dir_perms;
allow debuggerd tombstone_data_file:file create_file_perms;
allow debuggerd shared_relro_file:dir r_dir_perms;
diff --git a/domain.te b/domain.te
index c876c84..5d5f7a2 100644
--- a/domain.te
+++ b/domain.te
@@ -176,29 +176,13 @@
# Only recovery needs mac_admin to set contexts not defined in current policy.
neverallow { domain -recovery } self:capability2 mac_admin;
-# Only init should be able to load SELinux policies.
-# The first load technically occurs while still in the kernel domain,
-# but this does not trigger a denial since there is no policy yet.
-# Policy reload requires allowing this to the init domain.
-neverallow { domain -init } kernel:security load_policy;
+# Once the policy has been loaded there shall be none to modify the policy.
+# It is sealed.
+neverallow * kernel:security load_policy;
-# Only init and the system_server can set selinux.reload_policy 1
-# to trigger a policy reload.
+# Only init and the system_server shall use the property_service.
neverallow { domain -init -system_server } security_prop:property_service set;
-# Only init and system_server can write to /data/security, where runtime
-# policy updates live.
-# Only init can relabel /data/security (for init.rc restorecon_recursive /data).
-neverallow { domain -init } security_file:{ dir file lnk_file } { relabelfrom relabelto };
-# Only init and system_server can create/setattr directories with this type.
-# init is for init.rc mkdir /data/security.
-# system_server is for creating subdirectories under /data/security.
-neverallow { domain -init -system_server } security_file:dir { create setattr };
-# Only system_server can create subdirectories and files under /data/security.
-neverallow { domain -system_server } security_file:dir { rename write add_name remove_name rmdir };
-neverallow { domain -system_server } security_file:file { create setattr write append unlink link rename };
-neverallow { domain -system_server } security_file:lnk_file { create setattr unlink rename };
-
# Only init prior to switching context should be able to set enforcing mode.
# init starts in kernel domain and switches to init domain via setcon in
# the init.rc, so the setenforce occurs while still in kernel. After
diff --git a/domain_deprecated.te b/domain_deprecated.te
index 4da7a31..88b62bd 100644
--- a/domain_deprecated.te
+++ b/domain_deprecated.te
@@ -64,11 +64,6 @@
allow domain_deprecated selinuxfs:dir r_dir_perms;
allow domain_deprecated selinuxfs:file r_file_perms;
-# /data/security files
-allow domain_deprecated security_file:dir { search getattr };
-allow domain_deprecated security_file:file getattr;
-allow domain_deprecated security_file:lnk_file r_file_perms;
-
# World readable asec image contents
allow domain_deprecated asec_public_file:file r_file_perms;
allow domain_deprecated { asec_public_file asec_apk_file }:dir r_dir_perms;
diff --git a/file.te b/file.te
index a2963a5..2dcce5a 100644
--- a/file.te
+++ b/file.te
@@ -168,8 +168,6 @@
type asec_image_file, file_type, data_file_type;
# /data/backup and /data/secure/backup
type backup_data_file, file_type, data_file_type, mlstrustedobject;
-# For /data/security
-type security_file, file_type;
# All devices have bluetooth efs files. But they
# vary per device, so this type is used in per
# device policy
diff --git a/file_contexts b/file_contexts
index d98f25d..c06fcbd 100644
--- a/file_contexts
+++ b/file_contexts
@@ -229,7 +229,6 @@
/data/unencrypted(/.*)? u:object_r:unencrypted_data_file:s0
/data/backup(/.*)? u:object_r:backup_data_file:s0
/data/secure/backup(/.*)? u:object_r:backup_data_file:s0
-/data/security(/.*)? u:object_r:security_file:s0
/data/system/ndebugsocket u:object_r:system_ndebug_socket:s0
/data/drm(/.*)? u:object_r:drm_data_file:s0
/data/gps(/.*)? u:object_r:gps_data_file:s0
diff --git a/init.te b/init.te
index 047ea73..2d070de 100644
--- a/init.te
+++ b/init.te
@@ -99,10 +99,10 @@
# we just allow all file types except /system files here.
allow init self:capability { chown fowner fsetid };
allow init {file_type -system_file -exec_type -app_data_file}:dir { create search getattr open read setattr ioctl };
-allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:dir { write add_name remove_name rmdir relabelfrom };
-allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file -misc_logd_file }:file { create getattr open read write setattr relabelfrom unlink };
-allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
-allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:lnk_file { create getattr setattr relabelfrom unlink };
+allow init {file_type -system_file -exec_type -keystore_data_file -app_data_file -shell_data_file -vold_data_file}:dir { write add_name remove_name rmdir relabelfrom };
+allow init {file_type -system_file -exec_type -keystore_data_file -app_data_file -shell_data_file -vold_data_file -misc_logd_file }:file { create getattr open read write setattr relabelfrom unlink };
+allow init {file_type -system_file -exec_type -keystore_data_file -app_data_file -shell_data_file -vold_data_file}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
+allow init {file_type -system_file -exec_type -keystore_data_file -app_data_file -shell_data_file -vold_data_file}:lnk_file { create getattr setattr relabelfrom unlink };
allow init {file_type -system_file -exec_type}:dir_file_class_set relabelto;
allow init { sysfs debugfs }:{ dir file lnk_file } { getattr relabelfrom };
allow init { sysfs_type debugfs_type }:{ dir file lnk_file } relabelto;
@@ -123,15 +123,6 @@
allow init unlabeled:dir { create_dir_perms relabelfrom };
allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
-# Create /data/security from init.rc post-fs-data.
-allow init security_file:dir { create setattr };
-
-# Reload policy upon setprop selinux.reload_policy 1.
-# Note: this requires the following allow rule
-# allow init kernel:security load_policy;
-# which can be configured on a device-by-device basis if needed.
-r_dir_file(init, security_file)
-
# Any operation that can modify the kernel ring buffer, e.g. clear
# or a read that consumes the messages that were read.
allow init kernel:system syslog_mod;
diff --git a/installd.te b/installd.te
index 21cd4f0..1f83501 100644
--- a/installd.te
+++ b/installd.te
@@ -24,8 +24,6 @@
allow installd mnt_expand_file:dir { search getattr };
# Check validity of SELinux context before use.
selinux_check_context(installd)
-# Read /seapp_contexts and /data/security/seapp_contexts
-security_access_policy(installd)
# Search /data/app-asec and stat files in it.
allow installd asec_image_file:dir search;
diff --git a/runas.te b/runas.te
index 4fa686a..58a1bdc 100644
--- a/runas.te
+++ b/runas.te
@@ -20,8 +20,6 @@
allow runas self:capability { setuid setgid };
# run-as switches to the app security context.
-# read /seapp_contexts and /data/security/seapp_contexts
-security_access_policy(runas)
selinux_check_context(runas) # validate context
allow runas self:process setcurrent;
allow runas non_system_app_set:process dyntransition; # setcon
diff --git a/system_server.te b/system_server.te
index 8f794e1..f03959e 100644
--- a/system_server.te
+++ b/system_server.te
@@ -266,9 +266,6 @@
# Receive and use open /data/media files passed over binder IPC.
allow system_server media_rw_data_file:file { getattr read write };
-# Read /file_contexts and /data/security/file_contexts
-security_access_policy(system_server)
-
# Relabel apk files.
allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto };
allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto };
diff --git a/te_macros b/te_macros
index 4d18973..84af301 100644
--- a/te_macros
+++ b/te_macros
@@ -249,27 +249,6 @@
')
#####################################
-# security_access_policy(domain)
-# Read only access to all policy files and
-# selinuxfs
-define(`security_access_policy', `
-allow $1 security_file:dir r_dir_perms;
-allow $1 security_file:file r_file_perms;
-')
-
-#####################################
-# mmac_manage_policy(domain)
-# Ability to manage mmac policy files,
-# trigger runtime reload, change
-# mmac enforcing mode and access logcat.
-define(`mmac_manage_policy', `
-allow $1 security_file:dir create_dir_perms;
-allow $1 security_file:file create_file_perms;
-allow $1 security_file:lnk_file { create rename unlink };
-set_prop($1, security_prop)
-')
-
-#####################################
# create_pty(domain)
# Allow domain to create and use a pty, isolated from any other domain ptys.
define(`create_pty', `
diff --git a/ueventd.te b/ueventd.te
index 9eb2b1a..003b0e6 100644
--- a/ueventd.te
+++ b/ueventd.te
@@ -8,7 +8,6 @@
type_transition ueventd device:chr_file klog_device "__kmsg__";
allow ueventd klog_device:chr_file { create open write unlink };
-security_access_policy(ueventd)
allow ueventd init:process sigchld;
allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
allow ueventd device:file create_file_perms;
diff --git a/vold.te b/vold.te
index 9a1ccfe..737037d 100644
--- a/vold.te
+++ b/vold.te
@@ -125,7 +125,6 @@
# ASEC
allow vold asec_image_file:file create_file_perms;
allow vold asec_image_file:dir rw_dir_perms;
-security_access_policy(vold)
allow vold asec_apk_file:dir { create_dir_perms mounton relabelfrom relabelto };
allow vold asec_public_file:dir { relabelto setattr };
allow vold asec_apk_file:file { r_file_perms setattr relabelfrom relabelto };
diff --git a/zygote.te b/zygote.te
index 421a54b..e1be061 100644
--- a/zygote.te
+++ b/zygote.te
@@ -43,8 +43,6 @@
selinux_check_context(zygote)
# Check SELinux permissions.
selinux_check_access(zygote)
-# Read /seapp_contexts and /data/security/seapp_contexts
-security_access_policy(zygote)
# Native bridge functionality requires that zygote replaces
# /proc/cpuinfo with /system/lib/<ISA>/cpuinfo using a bind mount
