commit 7e74b1038f4a3f0a66dc32f48d741ab400221ba3
author Tobias Thierer <tobiast@google.com> Thu Nov 02 15:13:43 2017 +0000
committer android-build-team Robot <android-build-team-robot@google.com> Thu Nov 02 20:50:37 2017 +0000
tree d0d174cad66704381e9a4f1e4d138ec4ec20e0c8
parent a8d450d7733634d4982489ec1e10b8c896031534

Revert "Neverallow coredomain to kernel interface files."

This reverts commit 502e43f7d9f8ed2ccdd0c2d2c7aa2bc84d9c02e7.

Reason for revert: Suspected to have broken a build, see b/68792382

Bug: 68792382
Change-Id: Ib5d465b7a50a73e3d8d8edd4e6b3426a7bde4249
(cherry picked from commit 83a06805f06fa4af10fd1c655932b508e1ebe0a9)

private/domain.te

diff --git a/private/domain.te b/private/domain.te
index b80064e..d37a0bd 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -16,119 +16,3 @@
 
 # Limit ability to generate hardware unique device ID attestations to priv_apps
 neverallow { domain -priv_app } *:keystore_key gen_unique_id;
-
-# Core domains are not permitted to use kernel interfaces which are not
-# explicitly labeled.
-# TODO(b/65643247): Apply these neverallow rules to all coredomain.
-full_treble_only(`
-  # /proc
-  neverallow {
-    coredomain
-    -dumpstate
-    -init
-    -platform_app
-    -priv_app
-    -radio
-    -shell
-    -system_app
-    -vold
-    -vendor_init
-  } proc:file no_rw_file_perms;
-
-  # /sys
-  neverallow {
-    coredomain
-    -charger
-    -dumpstate
-    -healthd
-    -init
-    -mediaserver
-    -priv_app
-    -radio
-    -storaged
-    -system_app
-    -system_server
-    -ueventd
-    -update_verifier
-    -vold
-    -vendor_init
-  } sysfs:file no_rw_file_perms;
-
-  # /dev
-  neverallow {
-    coredomain
-    -fsck
-    -init
-    -shell
-    -ueventd
-    -vendor_init
-  } device:{ blk_file file } no_rw_file_perms;
-
-  # debugfs
-  neverallow {
-    coredomain
-    -dumpstate
-    -init
-    -system_server
-    -vendor_init
-  } debugfs:file no_rw_file_perms;
-
-  # tracefs
-  neverallow {
-    coredomain
-    -atrace
-    -dumpstate
-    -init
-    -perfprofd
-    -shell
-    -vendor_init
-  } debugfs_tracing:file no_rw_file_perms;
-
-  # inotifyfs
-  neverallow {
-    coredomain
-    -init
-    -vendor_init
-  } inotify:file no_rw_file_perms;
-
-  # pstorefs
-  neverallow {
-    coredomain
-    -bootstat
-    -charger
-    -dumpstate
-    -healthd
-    -init
-    -logd
-    -logpersist
-    -recovery_persist
-    -recovery_refresh
-    -shell
-    -system_server
-    -vendor_init
-  } pstorefs:file no_rw_file_perms;
-
-  # configfs
-  neverallow {
-    coredomain
-    -init
-    -system_server
-    -vendor_init
-  } configfs:file no_rw_file_perms;
-
-  # functionfs
-  neverallow {
-    coredomain
-    -adbd
-    -init
-    -mediaprovider
-    -vendor_init
-  }functionfs:file no_rw_file_perms;
-
-  # usbfs and binfmt_miscfs
-  neverallow {
-    coredomain
-    -init
-    -vendor_init
-  }{ usbfs binfmt_miscfs }:file no_rw_file_perms;
-')