Remove SElinux audit to libart_file
Since it was introduced it caused quite a few issues and it spams the
SElinux logs unnecessary.
The end goal of the audit was to whitelist the access to the
interpreter. However that's unfeasible for now given the complexity.
Test: devices boots and everything works as expected
no more auditallow logs
Bug: 29795519
Bug: 32871170
Change-Id: I9a7a65835e1e1d3f81be635bed2a3acf75a264f6
diff --git a/private/app.te b/private/app.te
index 84be2bf..d27ce64 100644
--- a/private/app.te
+++ b/private/app.te
@@ -14,9 +14,6 @@
# WebView and other application-specific JIT compilers
allow appdomain self:process execmem;
-# allow access to the interpreter
-allow appdomain libart_file:file { execute read open getattr };
-
allow appdomain ashmem_device:chr_file execute;
# Receive and use open file descriptors inherited from zygote.
diff --git a/private/file_contexts b/private/file_contexts
index 33b201e..9236bfe 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -239,8 +239,6 @@
/system/bin/storaged u:object_r:storaged_exec:s0
/system/bin/webview_zygote32 u:object_r:webview_zygote_exec:s0
/system/bin/webview_zygote64 u:object_r:webview_zygote_exec:s0
-/system/fake-lib(64)?/libart.* u:object_r:libart_file:s0
-/system/lib(64)?/libart.* u:object_r:libart_file:s0
/system/bin/hw/android\.hardware\.audio@2\.0-service u:object_r:hal_audio_default_exec:s0
/system/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
/system/bin/hw/android\.hardware\.bluetooth@1\.0-service u:object_r:hal_bluetooth_default_exec:s0
diff --git a/private/zygote.te b/private/zygote.te
index f9213ce..f0ac0b2 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -40,8 +40,6 @@
allow zygote resourcecache_data_file:dir rw_dir_perms;
allow zygote resourcecache_data_file:file create_file_perms;
-# For art.
-allow zygote libart_file:file { execute read open getattr };
# When WITH_DEXPREOPT is true, the zygote does not load executable content from
# /data/dalvik-cache.
allow { zygote with_dexpreopt(`-zygote') } dalvikcache_data_file:file execute;
diff --git a/public/crash_dump.te b/public/crash_dump.te
index af74247..e117176 100644
--- a/public/crash_dump.te
+++ b/public/crash_dump.te
@@ -24,9 +24,6 @@
allow crash_dump dalvikcache_data_file:dir { search getattr };
allow crash_dump dalvikcache_data_file:file r_file_perms;
-# Unwind through libart.
-allow crash_dump libart_file:file r_file_perms;
-
# Talk to tombstoned
unix_socket_connect(crash_dump, tombstoned_crash, tombstoned)
diff --git a/public/dex2oat.te b/public/dex2oat.te
index be9877c..f4a7418 100644
--- a/public/dex2oat.te
+++ b/public/dex2oat.te
@@ -6,9 +6,6 @@
allow dex2oat tmpfs:file { read getattr };
-# allow access to the interpreter
-allow dex2oat libart_file:file { execute read open getattr };
-
r_dir_file(dex2oat, dalvikcache_data_file)
allow dex2oat dalvikcache_data_file:file write;
# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot images, where
diff --git a/public/domain.te b/public/domain.te
index ca86836..5df7a43 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -94,21 +94,6 @@
allow domain system_file:file { execute read open getattr };
allow domain system_file:lnk_file read;
-# Initially grant all domains access to libart.
-# TODO move to a whitelist. b/29795519
-allow domain libart_file:file { execute read open getattr };
-auditallow {
- domain
- -appdomain
- -crash_dump
- -dex2oat
- -dumpstate
- -profman
- -recovery
- -webview_zygote
- -zygote
-} libart_file:file { execute read open getattr };
-
# read any sysfs symlinks
allow domain sysfs:lnk_file read;
@@ -308,7 +293,7 @@
-system_server
-webview_zygote
-zygote
-} { file_type -libart_file -system_file -exec_type -postinstall_file }:file execute;
+} { file_type -system_file -exec_type -postinstall_file }:file execute;
neverallow {
domain
-appdomain # for oemfs
@@ -640,7 +625,7 @@
# TODO - rework this: neverallow * ~service_manager_type:service_manager { add find };
# Prevent assigning non property types to properties
-# TODO - rework this: neverallow * ~property_type:property_service set;
+# TODO - rework this: neverallow * ~property_type:property_service set;
# Domain types should never be assigned to any files other
# than the /proc/pid files associated with a process. The
diff --git a/public/dumpstate.te b/public/dumpstate.te
index a70614d..bac648e 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -114,7 +114,6 @@
allow dumpstate ashmem_device:chr_file execute;
allow dumpstate self:process execmem;
# For art.
-allow dumpstate libart_file:file { r_file_perms execute };
allow dumpstate dalvikcache_data_file:dir { search getattr };
allow dumpstate dalvikcache_data_file:file { r_file_perms execute };
allow dumpstate dalvikcache_data_file:lnk_file r_file_perms;
diff --git a/public/file.te b/public/file.te
index 7bf44cc..c48e04e 100644
--- a/public/file.te
+++ b/public/file.te
@@ -78,8 +78,6 @@
type system_file, file_type;
# Speedup access for trusted applications to the runtime event tags
type runtime_event_log_tags_file, file_type;
-# Type for /system/*/libart*
-type libart_file, file_type;
# Type for /system/bin/logcat.
type logcat_exec, exec_type, file_type;
# /cores for coredumps on userdebug / eng builds
diff --git a/public/profman.te b/public/profman.te
index 6afd417..ff81540 100644
--- a/public/profman.te
+++ b/public/profman.te
@@ -2,8 +2,6 @@
type profman, domain;
type profman_exec, exec_type, file_type;
-allow profman libart_file:file r_file_perms;
-
allow profman user_profile_data_file:file { getattr read write lock };
# Dumping profile info opens the application APK file for pretty printing.
diff --git a/public/recovery.te b/public/recovery.te
index c607d03..11c01ed 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -28,7 +28,7 @@
# Create and relabel files and directories under /system.
allow recovery exec_type:{ file lnk_file } { create_file_perms relabelfrom relabelto };
- allow recovery { system_file libart_file }:{ file lnk_file } { create_file_perms relabelfrom relabelto };
+ allow recovery { system_file }:{ file lnk_file } { create_file_perms relabelfrom relabelto };
allow recovery system_file:dir { create_dir_perms relabelfrom relabelto };
# We may be asked to set an SELinux label for a type not known to the