commit 02ce98eab449773c21f57df022e639c361dacf53
author Treehugger Robot <treehugger-gerrit@google.com> Fri Nov 16 22:52:38 2018 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Fri Nov 16 22:52:38 2018 +0000
tree 5d7c87aea0b250c086a7cc9752054f249da26206
parent 3d533078ab8a43b7fcaaf8f761e8baaf30c214e6
parent fe4061da837567a87b218d487058f1f5b86a7589

Merge "remove system_server debugfs:file r_file_perms"

private/system_server.te

diff --git a/private/system_server.te b/private/system_server.te
index c2033db..d8a67c3 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -142,8 +142,6 @@
 allow system_server stats_data_file:file unlink;
 
 # Read /sys/kernel/debug/wakeup_sources.
-allow system_server debugfs:file r_file_perms;
-auditallow system_server debugfs:file r_file_perms;
 allow system_server debugfs_wakeup_sources:file r_file_perms;
 
 # Delete /data/misc/stats-data/ and /data/misc/stats-service/ directories.

public/domain.te

diff --git a/public/domain.te b/public/domain.te
index 13f52dc..20ae4a9 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1387,8 +1387,8 @@
 # Do not allow access to the generic debugfs label. This is too broad.
 # Instead, if access to part of debugfs is desired, it should have a
 # more specific label.
-# TODO: fix system_server and dumpstate
-neverallow { domain -init -vendor_init -system_server -dumpstate } debugfs:file no_rw_file_perms;
+# TODO: fix dumpstate
+neverallow { domain -init -vendor_init -dumpstate } debugfs:file no_rw_file_perms;
 
 # Profiles contain untrusted data and profman parses that. We should only run
 # in from installd forked processes.