commit 90cb59fd513441622323c77762a96df6a85a7100
author Nick Kralevich <nnk@google.com> Fri Jun 06 02:16:41 2014 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Fri Jun 06 02:16:42 2014 +0000
tree 5c181fd2f3a8c3d5a294366b5a4301f599649796
parent 4fd4a2054db06329acc524c7eb07715ec625dc5d
parent cb23ca92f303fca6bb0f48a1beb384e220afe39e

Merge "Remove domain unlabeled access."

domain.te

diff --git a/domain.te b/domain.te
index 2086911..dbe2324 100644
--- a/domain.te
+++ b/domain.te
@@ -143,31 +143,13 @@
 allow domain asec_public_file:file r_file_perms;
 allow domain { asec_public_file asec_apk_file }:dir r_dir_perms;
 
-######## Backwards compatibility - Unlabeled files ############
-
-# Revert to DAC rules when looking at unlabeled files. Over time, the number
-# of unlabeled files should decrease.
-# TODO: delete these rules in the future.
-#
-allow domain unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
-allow domain unlabeled:dir { create_dir_perms relabelfrom };
-auditallow { domain -init -installd -vold -system_server } unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
-auditallow { domain -init -kernel -installd -vold -system_server } unlabeled:dir { create_dir_perms relabelfrom };
-auditallow kernel unlabeled:dir ~search;
-auditallow installd unlabeled:dir ~{ getattr search relabelfrom rw_dir_perms rmdir };
-auditallow installd unlabeled:file ~{ r_file_perms getattr relabelfrom rename unlink setattr };
-auditallow installd unlabeled:{ lnk_file sock_file fifo_file } ~{ getattr relabelfrom rename unlink setattr };
-auditallow vold unlabeled:dir ~{ r_dir_perms setattr relabelfrom };
-auditallow vold unlabeled:file ~{ r_file_perms setattr relabelfrom };
-auditallow vold unlabeled:{ lnk_file sock_file fifo_file } { create_file_perms relabelfrom };
-auditallow system_server unlabeled:dir ~r_dir_perms;
-auditallow system_server unlabeled:file ~r_file_perms;
-auditallow system_server unlabeled:{ lnk_file sock_file fifo_file } { create_file_perms relabelfrom };
-
 ###
 ### neverallow rules
 ###
 
+# Do not allow any confined domain to create new unlabeled files.
+neverallow { domain -unconfineddomain } unlabeled:dir_file_class_set create;
+
 # Limit ability to ptrace or read sensitive /proc/pid files of processes
 # with other UIDs to these whitelisted domains.
 neverallow { domain -debuggerd -vold -dumpstate -system_server } self:capability sys_ptrace;