commit 7e86e19d587f3922ece9ac52bba0fdf64561a4de
author Nick Kralevich <nnk@google.com> Tue Oct 06 16:05:27 2015 -0700
committer Nick Kralevich <nnk@google.com> Tue Oct 06 16:05:27 2015 -0700
tree 367577a8d8dfc78b888ebc8440ad5ff1b476187e
parent a1d78ff788d217ea60055347458a66450f936459

remove "allow vold block_device:blk_file create_file_perms;"

vold hasn't use the generic "block_device" label since
commit 273d7ea4ca29fbd71c2b01e69e2c5ebd1253470a (Sept 2014), and
the auditallow statement in vold hasn't triggered since that time.

Remove the rule which allows vold access to the generic block_device
label, and remove the vold exception.

Thanks to jorgelo for reminding me about this.

Change-Id: Idd6cdc20f5be9a40c5c8f6d43bbf902a475ba1c9

domain.te

diff --git a/domain.te b/domain.te
index 38284e2..164cad0 100644
--- a/domain.te
+++ b/domain.te
@@ -267,7 +267,7 @@
 
 # Don't allow raw read/write/open access to block_device
 # Rather force a relabel to a more specific type
-neverallow { domain -kernel -init -recovery -vold -uncrypt } block_device:blk_file { open read write };
+neverallow { domain -kernel -init -recovery -uncrypt } block_device:blk_file { open read write };
 
 # Don't allow raw read/write/open access to generic devices.
 # Rather force a relabel to a more specific type.

vold.te

diff --git a/vold.te b/vold.te
index 5abb2f9..5ecb503 100644
--- a/vold.te
+++ b/vold.te
@@ -28,8 +28,6 @@
 allow vold toolbox_exec:file rx_file_perms;
 auditallow vold toolbox_exec:file rx_file_perms;
 allow vold block_device:dir create_dir_perms;
-allow vold block_device:blk_file create_file_perms;
-auditallow vold block_device:blk_file create_file_perms;
 allow vold device:dir write;
 allow vold devpts:chr_file rw_file_perms;
 allow vold rootfs:dir mounton;