Revert "Add neverallow rules to ensure successful kill by artd."
Revert submission 3165143
Reason for revert: Not meant for CTS 15.
This change is meant for Android 16, but accidentally merged into the
CTS 15 branch by automerger. Reverting it.
This Merged-In id is arbitrarily picked from the immediate downstream
branch to prevent this revert from being merged into the downstream
branches.
Reverted changes: https://r.android.com/q/submissionid:3165143
Bug: 362201040
Bug: 359380641
Bug: 364118843
Change-Id: Ibf4cd02d48b2f659966c94509c97906daea4ef2d
Merged-In: Ie9588af4a22b77ccb65b8115f4dc6f8ecac29fa9
diff --git a/private/artd.te b/private/artd.te
index bc4a7a2..e6a6aaa 100644
--- a/private/artd.te
+++ b/private/artd.te
@@ -4,9 +4,6 @@
type artd_exec, system_file_type, exec_type, file_type;
type artd_tmpfs, file_type;
-# All types of artd subprocesses, which artd can kill.
-attribute artd_subprocess_type;
-
# Allow artd to publish a binder service and make binder calls.
binder_use(artd)
add_service(artd, artd_service)
@@ -134,7 +131,7 @@
domain_auto_trans(artd, dex2oat_exec, dex2oat)
# Allow sending sigkill to subprocesses.
-allow artd artd_subprocess_type:process sigkill;
+allow artd { profman dex2oat }:process sigkill;
# Allow reading process info (/proc/<pid>/...).
# This is needed for getting CPU time and wall time spent on subprocesses.
@@ -162,6 +159,9 @@
domain_auto_trans(artd, derive_classpath_exec, derive_classpath)
domain_auto_trans(artd, odrefresh_exec, odrefresh)
+# Allow sending sigkill to subprocesses.
+allow artd { derive_classpath odrefresh }:process sigkill;
+
# Allow accessing Pre-reboot Dexopt files.
allow artd pre_reboot_dexopt_file:dir { getattr search };
@@ -185,15 +185,3 @@
# Never allow running other binaries without a domain transition.
# The exception for art_exec_exec is explained above.
neverallow artd ~{art_exec_exec}:file execute_no_trans;
-
-# Make sure artd_subprocess_type is complete, in a sense that it includes all
-# types of artd subprocesses.
-neverallow artd ~{artd_subprocess_type crash_dump}:process transition;
-
-# artd uses process groups to manage subprocesses and kill them. To ensure
-# successful kill, we need to prevent subprocesses from changing their
-# process groups or transitioning to other domains.
-# Transitioning crash_dump is allowed because it is transient and is only used
-# upon crashes.
-neverallow artd_subprocess_type self:process setpgid;
-neverallow artd_subprocess_type ~{artd_subprocess_type crash_dump}:process transition;
diff --git a/private/derive_classpath.te b/private/derive_classpath.te
index d7c29c2..8dd6572 100644
--- a/private/derive_classpath.te
+++ b/private/derive_classpath.te
@@ -1,6 +1,6 @@
# Domain for derive_classpath
-type derive_classpath, domain, coredomain, artd_subprocess_type;
+type derive_classpath, domain, coredomain;
type derive_classpath_exec, system_file_type, exec_type, file_type;
init_daemon_domain(derive_classpath)
diff --git a/private/dex2oat.te b/private/dex2oat.te
index 3a841ce..18600d8 100644
--- a/private/dex2oat.te
+++ b/private/dex2oat.te
@@ -1,5 +1,5 @@
# dex2oat
-type dex2oat, domain, coredomain, artd_subprocess_type;
+type dex2oat, domain, coredomain;
type dex2oat_exec, system_file_type, exec_type, file_type;
userfaultfd_use(dex2oat)
diff --git a/private/dexoptanalyzer.te b/private/dexoptanalyzer.te
index e2b5400..ca715c1 100644
--- a/private/dexoptanalyzer.te
+++ b/private/dexoptanalyzer.te
@@ -1,5 +1,5 @@
# dexoptanalyzer
-type dexoptanalyzer, domain, coredomain, mlstrustedsubject, artd_subprocess_type;
+type dexoptanalyzer, domain, coredomain, mlstrustedsubject;
type dexoptanalyzer_exec, system_file_type, exec_type, file_type;
type dexoptanalyzer_tmpfs, file_type;
diff --git a/private/domain.te b/private/domain.te
index cf46510..4cf9138 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -15,12 +15,12 @@
setsched
getsession
getpgid
+ setpgid
getcap
setcap
getattr
setrlimit
};
-allow { domain -artd_subprocess_type } self:process setpgid;
allow domain self:fd use;
allow domain proc:dir r_dir_perms;
allow domain proc_net_type:dir search;
diff --git a/private/odrefresh.te b/private/odrefresh.te
index 625af63..899b0d9 100644
--- a/private/odrefresh.te
+++ b/private/odrefresh.te
@@ -1,5 +1,5 @@
# odrefresh
-type odrefresh, domain, coredomain, artd_subprocess_type;
+type odrefresh, domain, coredomain;
type odrefresh_exec, system_file_type, exec_type, file_type;
# Allow odrefresh to create files and directories for on device signing.
diff --git a/private/profman.te b/private/profman.te
index 7071334..af53646 100644
--- a/private/profman.te
+++ b/private/profman.te
@@ -1,5 +1,4 @@
typeattribute profman coredomain;
-typeattribute profman artd_subprocess_type;
# Allow profman to read APKs and profile files next to them by FDs passed from
# other programs. In addition, allow profman to acquire flocks on those files.