Delete ineffective netd neverallow assertion
It doesn't make sense to write neverallow assertions where an attribute
negation exists allowing the operation. When such a negation exists,
domains can "opt-out" of the neverallow assertion by declaring their
use of the attribute. Such trivially bypassable assertions provide
no security nor architectural guarantees.
"netdomain" is such an attribute. This attribute is used by processes to
indicate that they communicate with the network, for example, using
TCP/UDP sockets. Vendor code is freely allowed to use network
communication by declaring their use of the attribute.
Because the attribute is usable to any vendor domain, the "no socket
connections to netd" restriction is pointless and provides a false sense
of security. Any process can opt-out of these restrictions by just
declaring their use of networking functionality. This also results in
ineffective policy bloat, making it difficult to reason about the policy
and make changes.
Delete the ineffective, misleading neverallow assertion.
Test: compiles
Change-Id: Ia72d9660a337ef811e56c9227af29b17d043b99f
diff --git a/public/domain.te b/public/domain.te
index a415646..bfc1860 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -742,16 +742,6 @@
});
')
- # Vendor domains (except netdomain) are not permitted to initiate communications to netd sockets
-full_treble_only(`
- neverallow_establish_socket_comms({
- domain
- -coredomain
- -netdomain
- -socket_between_core_and_vendor_violators
- }, netd);
-')
-
# Vendor domains are not permitted to initiate create/open sockets owned by core domains
full_treble_only(`
neverallow {