From 1aac0c51a0e1e02100696390b6eef0d8f8cff804 Mon Sep 17 00:00:00 2001 From: Hansen Kurli Date: Tue, 28 Nov 2023 14:11:06 +0800 Subject: [PATCH] Remove all sepolicy relating to racoon Legacy VPNs are removed, including the usage of racoon. Bug: 161776767 Test: m Change-Id: I8211b3f00cc0213b1c89b269857adc7c21b97efb --- private/compat/34.0/34.0.cil | 4 ++++ private/file_contexts | 2 -- private/racoon.te | 3 --- private/system_server.te | 1 - public/racoon.te | 27 --------------------------- 5 files changed, 4 insertions(+), 33 deletions(-) delete mode 100644 private/racoon.te delete mode 100644 public/racoon.te diff --git a/private/compat/34.0/34.0.cil b/private/compat/34.0/34.0.cil index aa8a56c1f..b10103e82 100644 --- a/private/compat/34.0/34.0.cil +++ b/private/compat/34.0/34.0.cil @@ -1,3 +1,7 @@ +;; types removed from current policy +(type racoon) +(type racoon_exec) + ;; mapping information from ToT policy's types to 34.0 policy's types. (expandtypeattribute (DockObserver_service_34_0) true) (expandtypeattribute (IProxyService_service_34_0) true) diff --git a/private/file_contexts b/private/file_contexts index 32092daf0..332ab2dc3 100644 --- a/private/file_contexts +++ b/private/file_contexts @@ -177,7 +177,6 @@ /dev/socket/prng_seeder u:object_r:prng_seeder_socket:s0 /dev/socket/property_service u:object_r:property_socket:s0 /dev/socket/property_service_for_system u:object_r:property_socket:s0 -/dev/socket/racoon u:object_r:racoon_socket:s0 /dev/socket/recovery u:object_r:recovery_socket:s0 /dev/socket/rild u:object_r:rild_socket:s0 /dev/socket/rild-debug u:object_r:rild_debug_socket:s0 @@ -319,7 +318,6 @@ /system/bin/dmesgd u:object_r:dmesgd_exec:s0 /system/bin/mtpd u:object_r:mtp_exec:s0 /system/bin/pppd u:object_r:ppp_exec:s0 -/system/bin/racoon u:object_r:racoon_exec:s0 /system/xbin/su u:object_r:su_exec:s0 /system/bin/dnsmasq u:object_r:dnsmasq_exec:s0 /system/bin/linker(64)? u:object_r:system_linker_exec:s0 diff --git a/private/racoon.te b/private/racoon.te deleted file mode 100644 index 42ea7c9e4..000000000 --- a/private/racoon.te +++ /dev/null @@ -1,3 +0,0 @@ -typeattribute racoon coredomain; - -init_daemon_domain(racoon) diff --git a/private/system_server.te b/private/system_server.te index 97e64af1b..88d6316bf 100644 --- a/private/system_server.te +++ b/private/system_server.te @@ -262,7 +262,6 @@ allow system_server self:tun_socket create_socket_perms_no_ioctl; unix_socket_connect(system_server, lmkd, lmkd) unix_socket_connect(system_server, mtpd, mtp) unix_socket_connect(system_server, zygote, zygote) -unix_socket_connect(system_server, racoon, racoon) unix_socket_connect(system_server, uncrypt, uncrypt) # Allow system_server to write to statsd. diff --git a/public/racoon.te b/public/racoon.te deleted file mode 100644 index b0383f060..000000000 --- a/public/racoon.te +++ /dev/null @@ -1,27 +0,0 @@ -# IKE key management daemon -type racoon, domain; -type racoon_exec, system_file_type, exec_type, file_type; - -typeattribute racoon mlstrustedsubject; - -net_domain(racoon) -allowxperm racoon self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFADDR SIOCSIFNETMASK }; - -binder_use(racoon) - -allow racoon tun_device:chr_file r_file_perms; -allowxperm racoon tun_device:chr_file ioctl TUNSETIFF; -allow racoon cgroup:dir { add_name create }; -allow racoon cgroup_v2:dir { add_name create }; - -allow racoon self:key_socket create_socket_perms_no_ioctl; -allow racoon self:tun_socket create_socket_perms_no_ioctl; -allow racoon self:global_capability_class_set { net_admin net_bind_service net_raw }; - -# XXX: should we give ip-up-vpn its own label (currently racoon domain) -allow racoon system_file:file rx_file_perms; -not_full_treble(`allow racoon vendor_file:file rx_file_perms;') -allow racoon vpn_data_file:file create_file_perms; -allow racoon vpn_data_file:dir w_dir_perms; - -use_keystore(racoon)