commit 32e1f1044d3572a4fa8f50bbffeb50fa4328c2c6
author Yi-Yo Chiang <yochiang@google.com> Mon Mar 22 13:46:12 2021 +0800
committer Yo Chiang <yochiang@google.com> Tue Mar 23 09:59:29 2021 +0000
tree 4fa5b2e451d392c669b6d65ea6364f0b4273170b
parent 6ef4d9d6ea263fcb5bee12de7503307c8e46d2d7

gsid: Remove redundant neverallow rules

These neverallow rules have grown over the years, and there are now some
duplicated rules. For example,
  neverallow scon tcon:tcls ~{ read };
really isn't doing anything due to the
  neverallow scon tcon:tcls *;
banning every actions already.

Remove these rules to make them more manageable, and make the follow-up
changes simpler to review.

Bug: 181110285
Test: Build pass
Change-Id: I82f2bbb54436153507b451a61b3075f223522028

private/gsid.te

diff --git a/private/gsid.te b/private/gsid.te
index 56def1d..c523731 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -168,7 +168,13 @@
     -gsid
     -fastbootd
     -vold
-} gsi_metadata_file:file_class_set ~{ relabelto getattr };
+} gsi_metadata_file:file_class_set *;
+
+neverallow {
+    domain
+    -init
+    -gsid
+} gsi_data_file:dir *;
 
 neverallow {
     domain
@@ -176,19 +182,7 @@
     -gsid
     -fastbootd
     -vold
-} { gsi_data_file gsi_metadata_file }:file_class_set *;
-
-neverallow {
-    domain
-    -gsid
-    -init
-} gsi_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
-
-neverallow {
-    domain
-    -init
-    -gsid
-} gsi_data_file:dir *;
+} gsi_data_file:file_class_set *;
 
 neverallow {
     domain