gatekeeperd: remove domain_deprecated attribute
Test: builds/boots on Angler. No "granted" messages for the removed
permissions observed in three months of log audits.
Bug: 28760354
Change-Id: I0a6363f094c41392469f438c4399c93ed53fb5ac
diff --git a/domain_deprecated.te b/domain_deprecated.te
index c363a6c..b8ad83c 100644
--- a/domain_deprecated.te
+++ b/domain_deprecated.te
@@ -78,7 +78,7 @@
allow domain_deprecated ion_device:chr_file rw_file_perms;
# split this auditallow into read and write perms since most domains seem to
# only require read
-auditallow { domain_deprecated -appdomain -fingerprintd -gatekeeperd -keystore -surfaceflinger -system_server -tee -vold -zygote } ion_device:chr_file r_file_perms;
+auditallow { domain_deprecated -appdomain -fingerprintd -keystore -surfaceflinger -system_server -tee -vold -zygote } ion_device:chr_file r_file_perms;
auditallow domain_deprecated ion_device:chr_file { write append };
# Read access to pseudo filesystems.
@@ -96,8 +96,8 @@
auditallow { domain_deprecated -bluetooth -fingerprintd -healthd -init -netd -priv_app -rild -system_app -surfaceflinger -system_server -tee -ueventd -vold -wpa } sysfs:lnk_file { getattr open ioctl lock }; # read granted in domain
auditallow domain_deprecated inotify:dir r_dir_perms;
auditallow domain_deprecated inotify:{ file lnk_file } r_file_perms;
-auditallow { domain_deprecated -appdomain -fingerprintd -gatekeeperd -healthd -init -inputflinger -installd -keystore -netd -rild -surfaceflinger -system_server -zygote } cgroup:dir r_dir_perms;
-auditallow { domain_deprecated -appdomain -fingerprintd -gatekeeperd -healthd -init -inputflinger -installd -keystore -netd -rild -surfaceflinger -system_server -zygote } cgroup:{ file lnk_file } r_file_perms;
+auditallow { domain_deprecated -appdomain -fingerprintd -healthd -init -inputflinger -installd -keystore -netd -rild -surfaceflinger -system_server -zygote } cgroup:dir r_dir_perms;
+auditallow { domain_deprecated -appdomain -fingerprintd -healthd -init -inputflinger -installd -keystore -netd -rild -surfaceflinger -system_server -zygote } cgroup:{ file lnk_file } r_file_perms;
auditallow { domain_deprecated -appdomain -init -priv_app -surfaceflinger -system_server -vold } proc_meminfo:file r_file_perms;
auditallow { domain_deprecated -appdomain -clatd -init -netd -system_server -vold -wpa -zygote } proc_net:dir { open getattr read ioctl lock }; # search granted in domain
auditallow { domain_deprecated -appdomain -clatd -init -netd -system_server -vold -wpa -zygote } proc_net:{ file lnk_file } r_file_perms;
diff --git a/gatekeeperd.te b/gatekeeperd.te
index 3d9b60c..bc4fe81 100644
--- a/gatekeeperd.te
+++ b/gatekeeperd.te
@@ -1,4 +1,4 @@
-type gatekeeperd, domain, domain_deprecated;
+type gatekeeperd, domain;
type gatekeeperd_exec, exec_type, file_type;
# gatekeeperd