Remove system_server and zygote unlabeled execute access.
Now that all of /data outside of /data/data should be labeled
even on legacy devices as a result of
Ib8d9751a47c8e0238cf499fcec61898937945d9d, there
should be no reason to permit the system_server or zygote
execute access to unlabeled files.
This is the only remaining case where a type writable by
app domains can be executed by system services, so eliminating
it is desirable.
That said, I have not specifically tested the non-SE to SE
upgrade path to confirm that this causes no problems.
Change-Id: Ie488bd6e347d4a210806a3308ab25b00952aadb4
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
diff --git a/system_server.te b/system_server.te
index 152ece1..f48fd2c 100644
--- a/system_server.te
+++ b/system_server.te
@@ -236,11 +236,6 @@
# For SELinuxPolicyInstallReceiver
selinux_manage_policy(system_server)
-# For legacy unlabeled userdata on existing devices.
-# See discussion of Unlabeled files in domain.te for more information.
-# This rule is for dalvikcache mmap/mprotect PROT_EXEC.
-allow system_server unlabeled:file execute;
-
# logd access, system_server inherit logd write socket
# (urge is to deprecate this long term)
allow system_server zygote:unix_dgram_socket write;
diff --git a/zygote.te b/zygote.te
index b6a527c..c20072d 100644
--- a/zygote.te
+++ b/zygote.te
@@ -52,8 +52,3 @@
allow zygote shell_data_file:file { write getattr };
allow zygote system_server:binder { transfer call };
allow zygote servicemanager:binder { call };
-
-# For legacy unlabeled userdata on existing devices.
-# See discussion of Unlabeled files in domain.te for more information.
-# This rule is for dalvikcache mmap/mprotect PROT_EXEC.
-allow zygote unlabeled:file execute;