Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 2b291121b92f44971e702929d7ae4cc7d5e35078^! / .
commit2b291121b92f44971e702929d7ae4cc7d5e35078[log] [tgz]
authorCalin Juravle <calin@google.com>Fri Mar 03 18:29:57 2017 -0800
committerCalin Juravle <calin@google.com>Tue Mar 07 10:59:26 2017 -0800
treebd391c262036cd649e07a58f2154b85ff504c029
parent87039898adf45df25093e56764a9e13ecd485772 [diff]
SElinux: Clean up code related to foreign dex use

We simplified the way we track whether or not a dex file is used by
other apps. DexManager in the framework keeps track of the data and we
no longer need file markers on disk.

Test: device boots, foreign dex markers are not created anymore

Bug: 32871170
Change-Id: I464ed6b09439cf0342020ee07596f9aa8ae53b62

diff --git a/private/app.te b/private/app.te
index 4741213..2eaa8e4 100644
--- a/private/app.te
+++ b/private/app.te

@@ -121,13 +121,6 @@
 # Write profiles /data/misc/profiles
 allow appdomain user_profile_data_file:dir { search write add_name };
 allow appdomain user_profile_data_file:file create_file_perms;
-# Profiles for foreign dex files are just markers and only need create permissions.
-allow appdomain user_profile_foreign_dex_data_file:dir { search write add_name };
-allow appdomain user_profile_foreign_dex_data_file:file create;
-# There is no way to create user_profile_foreign_dex_data_file without
-# generating open/read denials. These permissions should not be granted and the
-# denial is harmless. dontaudit to suppress the denial.
-dontaudit appdomain user_profile_foreign_dex_data_file:file { open read };
 
 # Send heap dumps to system_server via an already open file descriptor
 # % adb shell am set-watch-heap com.android.systemui 1048576
@@ -471,10 +464,6 @@
   -apk_data_file
 }:file no_x_file_perms;
 
-# Foreign dex profiles are just markers. Prevent apps to do anything but touch them.
-neverallow appdomain user_profile_foreign_dex_data_file:file rw_file_perms;
-neverallow appdomain user_profile_foreign_dex_data_file:dir { open getattr read ioctl remove_name };
-
 # Applications should use the activity model for receiving events
 neverallow {
   appdomain

diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 565936a..2f8066a 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te

@@ -81,7 +81,6 @@
   -media_rw_data_file       # Internal storage. Known that apps can
                             # leave artfacts here after uninstall.
   -user_profile_data_file   # Access to profile files
-  -user_profile_foreign_dex_data_file   # Access to profile files
   userdebug_or_eng(`
     -method_trace_data_file # only on ro.debuggable=1
     -coredump_file          # userdebug/eng only

diff --git a/private/file_contexts b/private/file_contexts
index 4f27bcb..03ab637 100644
--- a/private/file_contexts
+++ b/private/file_contexts

@@ -334,7 +334,6 @@
 # TODO(calin) label profile reference differently so that only
 # profman run as a special user can write to them
 /data/misc/profiles/cur(/.*)?       u:object_r:user_profile_data_file:s0
-/data/misc/profiles/cur/[0-9]+/foreign-dex(/.*)? u:object_r:user_profile_foreign_dex_data_file:s0
 /data/misc/profiles/ref(/.*)?       u:object_r:user_profile_data_file:s0
 /data/misc/profman(/.*)?        u:object_r:profman_dump_data_file:s0
 

diff --git a/private/system_server.te b/private/system_server.te
index f26332c..294ceb4 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -22,13 +22,6 @@
 allow system_server dalvikcache_data_file:dir r_dir_perms;
 allow system_server dalvikcache_data_file:file { r_file_perms execute };
 
-# Enable system server to check the foreign dex usage markers.
-# We need search on top level directories so that we can get to the files
-allow system_server user_profile_data_file:dir search;
-allow system_server user_profile_data_file:file getattr;
-allow system_server user_profile_foreign_dex_data_file:dir { add_name open read write search remove_name };
-allow system_server user_profile_foreign_dex_data_file:file { getattr rename unlink };
-
 # /data/resource-cache
 allow system_server resourcecache_data_file:file r_file_perms;
 allow system_server resourcecache_data_file:dir r_dir_perms;

diff --git a/public/dumpstate.te b/public/dumpstate.te
index 1b8538c..80161de 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te

@@ -155,8 +155,6 @@
 userdebug_or_eng(`
   allow dumpstate user_profile_data_file:dir r_dir_perms;
   allow dumpstate user_profile_data_file:file r_file_perms;
-  allow dumpstate user_profile_foreign_dex_data_file:dir r_dir_perms;
-  allow dumpstate user_profile_foreign_dex_data_file:file r_file_perms;
 ')
 
 # Access /data/misc/logd

diff --git a/public/file.te b/public/file.te
index 6aecab4..72f30f4 100644
--- a/public/file.te
+++ b/public/file.te

@@ -113,7 +113,6 @@
 type ota_package_file, file_type, data_file_type, mlstrustedobject;
 # /data/misc/profiles
 type user_profile_data_file, file_type, data_file_type, mlstrustedobject;
-type user_profile_foreign_dex_data_file, file_type, data_file_type, mlstrustedobject;
 # /data/misc/profman
 type profman_dump_data_file, file_type, data_file_type;
 # /data/resource-cache

diff --git a/public/installd.te b/public/installd.te
index 3b4fd2e..5e0ccc4 100644
--- a/public/installd.te
+++ b/public/installd.te

@@ -104,8 +104,6 @@
 allow installd user_profile_data_file:file create_file_perms;
 allow installd user_profile_data_file:dir rmdir;
 allow installd user_profile_data_file:file unlink;
-allow installd user_profile_foreign_dex_data_file:dir { add_name getattr rmdir open read write search remove_name };
-allow installd user_profile_foreign_dex_data_file:file { getattr rename unlink };
 
 # Files created/updated by profman dumps.
 allow installd profman_dump_data_file:dir { search add_name write };

diff --git a/public/vold.te b/public/vold.te
index cda6424..7e8be29 100644
--- a/public/vold.te
+++ b/public/vold.te

@@ -169,7 +169,6 @@
 
 # Prepare profile dir for users.
 allow vold user_profile_data_file:dir create_dir_perms;
-allow vold user_profile_foreign_dex_data_file:dir { getattr setattr };
 
 # Raw writes to misc block device
 allow vold misc_block_device:blk_file w_file_perms;