commit bf696327246833c9aba55a645e6c433e9f321e27
author Riley Spahn <rileyspahn@google.com> Fri Jul 18 11:21:34 2014 -0700
committer Nick Kralevich <nnk@google.com> Fri Jul 18 19:58:27 2014 +0000
tree d1c1dd152df7044386e6763e7dc0a46d9220c1ca
parent 4a24475b9d8aa9de9c3e991cf8e484830f28ce9d

DO NOT MERGE: Remove service_manager audit_allows.

Remove the audit_allow rules from lmp-dev because
we will not be tightening any further so these logs
will not be useful.

Change-Id: Ibd0e4bf4e8f4f5438c3dbb9114addaadac9ef8c9

adbd.te

diff --git a/adbd.te b/adbd.te
index 3b654a1..58fdead 100644
--- a/adbd.te
+++ b/adbd.te
@@ -68,9 +68,3 @@
 # ndk-gdb invokes adb pull of app_process, linker, and libc.so.
 allow adbd zygote_exec:file r_file_perms;
 allow adbd system_file:file r_file_perms;
-
-service_manager_local_audit_domain(adbd)
-auditallow adbd {
-    service_manager_type
-    -surfaceflinger_service
-}:service_manager find;

attributes

diff --git a/attributes b/attributes
index d40217a..613ed8f 100644
--- a/attributes
+++ b/attributes
@@ -67,6 +67,3 @@
 
 # All domains used for binder service domains.
 attribute binderservicedomain;
-
-# All domains that are excluded from the domain.te auditallow.
-attribute service_manager_local_audit;

bluetooth.te

diff --git a/bluetooth.te b/bluetooth.te
index 56fe170..2b108a9 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -49,15 +49,6 @@
 allow bluetooth pan_result_prop:property_service set;
 allow bluetooth ctl_dhcp_pan_prop:property_service set;
 
-# Audited locally.
-service_manager_local_audit_domain(bluetooth)
-auditallow bluetooth {
-    service_manager_type
-    -bluetooth_service
-    -radio_service
-    -system_server_service
-}:service_manager find;
-
 ###
 ### Neverallow rules
 ###

bootanim.te

diff --git a/bootanim.te b/bootanim.te
index 7592295..3a0a76f 100644
--- a/bootanim.te
+++ b/bootanim.te
@@ -11,7 +11,3 @@
 
 # /oem access
 allow bootanim oemfs:dir search;
-
-# Audited locally.
-service_manager_local_audit_domain(bootanim)
-auditallow bootanim { service_manager_type -surfaceflinger_service }:service_manager find;

domain.te

diff --git a/domain.te b/domain.te
index 0913453..2ed20bb 100644
--- a/domain.te
+++ b/domain.te
@@ -159,9 +159,7 @@
 allow domain { asec_public_file asec_apk_file }:dir r_dir_perms;
 
 allow domain servicemanager:service_manager list;
-auditallow domain servicemanager:service_manager list;
 allow domain service_manager_type:service_manager find;
-auditallow { domain -service_manager_local_audit } service_manager_type:service_manager find;
 
 ###
 ### neverallow rules

drmserver.te

diff --git a/drmserver.te b/drmserver.te
index 14b2f49..1993176 100644
--- a/drmserver.te
+++ b/drmserver.te
@@ -46,11 +46,3 @@
 allow drmserver radio_data_file:file { read getattr };
 
 allow drmserver drmserver_service:service_manager add;
-
-# Audited locally.
-service_manager_local_audit_domain(drmserver)
-auditallow drmserver {
-    service_manager_type
-    -drmserver_service
-    -system_server_service
-}:service_manager find;

dumpstate.te

diff --git a/dumpstate.te b/dumpstate.te
index 242cb93..279fd98 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -96,18 +96,3 @@
 # Read network state info files.
 allow dumpstate net_data_file:dir search;
 allow dumpstate net_data_file:file r_file_perms;
-
-service_manager_local_audit_domain(dumpstate)
-auditallow dumpstate {
-    service_manager_type
-    -drmserver_service
-    -healthd_service
-    -inputflinger_service
-    -keystore_service
-    -mediaserver_service
-    -nfc_service
-    -radio_service
-    -surfaceflinger_service
-    -system_app_service
-    -system_server_service
-}:service_manager find;

healthd.te

diff --git a/healthd.te b/healthd.te
index 940f7c4..a788236 100644
--- a/healthd.te
+++ b/healthd.te
@@ -34,10 +34,6 @@
 
 allow healthd healthd_service:service_manager add;
 
-# Audited locally.
-service_manager_local_audit_domain(healthd)
-auditallow healthd { service_manager_type -healthd_service }:service_manager find;
-
 # Healthd needs to tell init to continue the boot
 # process when running in charger mode.
 unix_socket_connect(healthd, property, init)

inputflinger.te

diff --git a/inputflinger.te b/inputflinger.te
index 4377a10..283bbba 100644
--- a/inputflinger.te
+++ b/inputflinger.te
@@ -9,7 +9,3 @@
 binder_call(inputflinger, system_server)
 
 allow inputflinger inputflinger_service:service_manager add;
-
-# Audited locally.
-service_manager_local_audit_domain(inputflinger)
-auditallow inputflinger { service_manager_type -inputflinger_service }:service_manager find;

isolated_app.te

diff --git a/isolated_app.te b/isolated_app.te
index 5929b25..a156838 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -18,12 +18,3 @@
 # Needed to allow dlopen() from Chrome renderer processes.
 # See b/15902433 for details.
 allow isolated_app app_data_file:file execute;
-
-# Audited locally.
-service_manager_local_audit_domain(isolated_app)
-auditallow isolated_app {
-    service_manager_type
-    -radio_service
-    -surfaceflinger_service
-    -system_server_service
-}:service_manager find;

keystore.te

diff --git a/keystore.te b/keystore.te
index f2c5039..afa701c 100644
--- a/keystore.te
+++ b/keystore.te
@@ -28,9 +28,5 @@
 
 allow keystore keystore_service:service_manager add;
 
-# Audited locally.
-service_manager_local_audit_domain(keystore)
-auditallow keystore { service_manager_type -keystore_service }:service_manager find;
-
 # Check SELinux permissions.
 selinux_check_access(keystore)

mediaserver.te

diff --git a/mediaserver.te b/mediaserver.te
index 52c593e..55d1f205 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -79,13 +79,3 @@
 allow mediaserver tee:unix_stream_socket connectto;
 
 allow mediaserver mediaserver_service:service_manager add;
-
-# Audited locally.
-service_manager_local_audit_domain(mediaserver)
-auditallow mediaserver {
-    service_manager_type
-    -drmserver_service
-    -mediaserver_service
-    -system_server_service
-    -surfaceflinger_service
-}:service_manager find;

nfc.te

diff --git a/nfc.te b/nfc.te
index 2b851a2..65aaef7 100644
--- a/nfc.te
+++ b/nfc.te
@@ -15,12 +15,3 @@
 allow nfc sysfs:file write;
 
 allow nfc nfc_service:service_manager add;
-
-# Audited locally.
-service_manager_local_audit_domain(nfc)
-auditallow nfc {
-    service_manager_type
-    -mediaserver_service
-    -surfaceflinger_service
-    -system_server_service
-}:service_manager find;

platform_app.te

diff --git a/platform_app.te b/platform_app.te
index a44e35d..7ff8d62 100644
--- a/platform_app.te
+++ b/platform_app.te
@@ -27,13 +27,3 @@
 # Write to /cache.
 allow platform_app cache_file:dir create_dir_perms;
 allow platform_app cache_file:file create_file_perms;
-
-# Audited locally.
-service_manager_local_audit_domain(platform_app)
-auditallow platform_app {
-    service_manager_type
-    -mediaserver_service
-    -radio_service
-    -surfaceflinger_service
-    -system_server_service
-}:service_manager find;

radio.te

diff --git a/radio.te b/radio.te
index 5f45df3..d0018ea 100644
--- a/radio.te
+++ b/radio.te
@@ -28,13 +28,3 @@
 allow radio ctl_rildaemon_prop:property_service set;
 
 allow radio radio_service:service_manager add;
-
-# Audited locally.
-service_manager_local_audit_domain(radio)
-auditallow radio {
-    service_manager_type
-    -mediaserver_service
-    -radio_service
-    -surfaceflinger_service
-    -system_server_service
-}:service_manager find;

surfaceflinger.te

diff --git a/surfaceflinger.te b/surfaceflinger.te
index ff91993..c508612 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -59,14 +59,6 @@
 
 allow surfaceflinger surfaceflinger_service:service_manager add;
 
-# Audited locally.
-service_manager_local_audit_domain(surfaceflinger)
-auditallow surfaceflinger {
-    service_manager_type
-    -surfaceflinger_service
-    -system_server_service
-}:service_manager find;
-
 ###
 ### Neverallow rules
 ###

system_app.te

diff --git a/system_app.te b/system_app.te
index 5a5888f..2a7421b 100644
--- a/system_app.te
+++ b/system_app.te
@@ -64,14 +64,3 @@
 };
 
 control_logd(system_app)
-
-# Audited locally.
-service_manager_local_audit_domain(system_app)
-auditallow system_app {
-    service_manager_type
-    -keystore_service
-    -nfc_service
-    -radio_service
-    -surfaceflinger_service
-    -system_server_service
-}:service_manager find;

system_server.te

diff --git a/system_server.te b/system_server.te
index 9d973db..9afd8af 100644
--- a/system_server.te
+++ b/system_server.te
@@ -362,9 +362,6 @@
 
 allow system_server system_server_service:service_manager add;
 
-# Audited locally.
-service_manager_local_audit_domain(system_server)
-
 allow system_server keystore:keystore_key {
 	test
 	get

te_macros

diff --git a/te_macros b/te_macros
index b2913f3..7c1f6e5 100644
--- a/te_macros
+++ b/te_macros
@@ -109,7 +109,6 @@
 tmpfs_domain($1)
 # Map with PROT_EXEC.
 allow $1 $1_tmpfs:file execute;
-service_manager_local_audit_domain($1)
 ')
 
 #####################################
@@ -359,11 +358,3 @@
   allow keystore $1:process getattr;
   binder_call($1, keystore)
 ')
-
-###########################################
-# service_manager_local_audit_domain(domain)
-# Has its own auditallow rule on service_manager
-# and should be excluded from the domain.te auditallow.
-define(`service_manager_local_audit_domain', `
-  typeattribute $1 service_manager_local_audit;
-')

untrusted_app.te

diff --git a/untrusted_app.te b/untrusted_app.te
index c97b451..f29149e 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -64,19 +64,6 @@
 allow untrusted_app cache_file:dir create_dir_perms;
 allow untrusted_app cache_file:file create_file_perms;
 
-# Audited locally.
-service_manager_local_audit_domain(untrusted_app)
-auditallow untrusted_app {
-    service_manager_type
-    -drmserver_service
-    -keystore_service
-    -mediaserver_service
-    -nfc_service
-    -radio_service
-    -surfaceflinger_service
-    -system_server_service
-}:service_manager find;
-
 ###
 ### neverallow rules
 ###