access_vectors: Remove unused permission definitions
Description stolen from
https://github.com/torvalds/linux/commit/42a9699a9fa179c0054ea3cf5ad3cc67104a6162
Remove unused permission definitions from SELinux.
Many of these were only ever used in pre-mainline
versions of SELinux, prior to Linux 2.6.0. Some of them
were used in the legacy network or compat_net=1 checks
that were disabled by default in Linux 2.6.18 and
fully removed in Linux 2.6.30.
Permissions never used in mainline Linux:
file swapon
filesystem transition
tcp_socket { connectto newconn acceptfrom }
node enforce_dest
unix_stream_socket { newconn acceptfrom }
Legacy network checks, removed in 2.6.30:
socket { recv_msg send_msg }
node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send }
Test: policy compiles and no boot errors (marlin)
Change-Id: Idaef2567666f80db39c3e3cee70e760e1dac73ec
diff --git a/private/access_vectors b/private/access_vectors
index 26286b2..6393c16 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -24,7 +24,6 @@
link
rename
execute
- swapon
quotaon
mounton
}
@@ -57,8 +56,6 @@
shutdown
recvfrom
sendto
- recv_msg
- send_msg
name_bind
}
@@ -97,7 +94,6 @@
getattr
relabelfrom
relabelto
- transition
associate
quotamod
quotaget
@@ -184,9 +180,6 @@
class tcp_socket
inherits socket
{
- connectto
- newconn
- acceptfrom
node_bind
name_connect
}
@@ -205,29 +198,12 @@
class node
{
- tcp_recv
- tcp_send
- udp_recv
- udp_send
- rawip_recv
- rawip_send
- enforce_dest
- dccp_recv
- dccp_send
recvfrom
sendto
}
class netif
{
- tcp_recv
- tcp_send
- udp_recv
- udp_send
- rawip_recv
- rawip_send
- dccp_recv
- dccp_send
ingress
egress
}
@@ -245,8 +221,6 @@
inherits socket
{
connectto
- newconn
- acceptfrom
}
class unix_dgram_socket
diff --git a/public/te_macros b/public/te_macros
index a826e96..df171f0 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -237,7 +237,7 @@
r_dir_file($1, selinuxfs)
allow $1 selinuxfs:file w_file_perms;
allow $1 kernel:security compute_av;
-allow $1 self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind };
+allow $1 self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind };
')
#####################################