SElinux: Clean up code related to foreign dex use

We simplified the way we track whether or not a dex file is used by
other apps. DexManager in the framework keeps track of the data and we
no longer need file markers on disk.

Test: device boots, foreign dex markers are not created anymore

Bug: 32871170
Change-Id: I464ed6b09439cf0342020ee07596f9aa8ae53b62

private/app.te

@@ -121,13 +121,6 @@ allow appdomain shell_data_file:file { write getattr };
 # Write profiles /data/misc/profiles
 allow appdomain user_profile_data_file:dir { search write add_name };
 allow appdomain user_profile_data_file:file create_file_perms;
-# Profiles for foreign dex files are just markers and only need create permissions.
-allow appdomain user_profile_foreign_dex_data_file:dir { search write add_name };
-allow appdomain user_profile_foreign_dex_data_file:file create;
-# There is no way to create user_profile_foreign_dex_data_file without
-# generating open/read denials. These permissions should not be granted and the
-# denial is harmless. dontaudit to suppress the denial.
-dontaudit appdomain user_profile_foreign_dex_data_file:file { open read };
 
 # Send heap dumps to system_server via an already open file descriptor
 # % adb shell am set-watch-heap com.android.systemui 1048576
@@ -471,10 +464,6 @@ neverallow {
   -apk_data_file
 }:file no_x_file_perms;
 
-# Foreign dex profiles are just markers. Prevent apps to do anything but touch them.
-neverallow appdomain user_profile_foreign_dex_data_file:file rw_file_perms;
-neverallow appdomain user_profile_foreign_dex_data_file:dir { open getattr read ioctl remove_name };
-
 # Applications should use the activity model for receiving events
 neverallow {
   appdomain

private/app_neverallows.te

@@ -81,7 +81,6 @@ neverallow all_untrusted_apps {
   -media_rw_data_file       # Internal storage. Known that apps can
                             # leave artfacts here after uninstall.
   -user_profile_data_file   # Access to profile files
-  -user_profile_foreign_dex_data_file   # Access to profile files
   userdebug_or_eng(`
     -method_trace_data_file # only on ro.debuggable=1
     -coredump_file          # userdebug/eng only

private/file_contexts

@@ -334,7 +334,6 @@
 # TODO(calin) label profile reference differently so that only
 # profman run as a special user can write to them
 /data/misc/profiles/cur(/.*)?       u:object_r:user_profile_data_file:s0
-/data/misc/profiles/cur/[0-9]+/foreign-dex(/.*)? u:object_r:user_profile_foreign_dex_data_file:s0
 /data/misc/profiles/ref(/.*)?       u:object_r:user_profile_data_file:s0
 /data/misc/profman(/.*)?        u:object_r:profman_dump_data_file:s0
 

private/system_server.te

@@ -22,13 +22,6 @@ type_transition system_server wpa_socket:sock_file system_wpa_socket;
 allow system_server dalvikcache_data_file:dir r_dir_perms;
 allow system_server dalvikcache_data_file:file { r_file_perms execute };
 
-# Enable system server to check the foreign dex usage markers.
-# We need search on top level directories so that we can get to the files
-allow system_server user_profile_data_file:dir search;
-allow system_server user_profile_data_file:file getattr;
-allow system_server user_profile_foreign_dex_data_file:dir { add_name open read write search remove_name };
-allow system_server user_profile_foreign_dex_data_file:file { getattr rename unlink };
-
 # /data/resource-cache
 allow system_server resourcecache_data_file:file r_file_perms;
 allow system_server resourcecache_data_file:dir r_dir_perms;

public/dumpstate.te

@@ -155,8 +155,6 @@ allow dumpstate recovery_data_file:file r_file_perms;
 userdebug_or_eng(`
   allow dumpstate user_profile_data_file:dir r_dir_perms;
   allow dumpstate user_profile_data_file:file r_file_perms;
-  allow dumpstate user_profile_foreign_dex_data_file:dir r_dir_perms;
-  allow dumpstate user_profile_foreign_dex_data_file:file r_file_perms;
 ')
 
 # Access /data/misc/logd

public/file.te

@@ -113,7 +113,6 @@ type ota_data_file, file_type, data_file_type;
 type ota_package_file, file_type, data_file_type, mlstrustedobject;
 # /data/misc/profiles
 type user_profile_data_file, file_type, data_file_type, mlstrustedobject;
-type user_profile_foreign_dex_data_file, file_type, data_file_type, mlstrustedobject;
 # /data/misc/profman
 type profman_dump_data_file, file_type, data_file_type;
 # /data/resource-cache

public/installd.te

@@ -104,8 +104,6 @@ allow installd user_profile_data_file:dir create_dir_perms;
 allow installd user_profile_data_file:file create_file_perms;
 allow installd user_profile_data_file:dir rmdir;
 allow installd user_profile_data_file:file unlink;
-allow installd user_profile_foreign_dex_data_file:dir { add_name getattr rmdir open read write search remove_name };
-allow installd user_profile_foreign_dex_data_file:file { getattr rename unlink };
 
 # Files created/updated by profman dumps.
 allow installd profman_dump_data_file:dir { search add_name write };

public/vold.te

@@ -169,7 +169,6 @@ allow vold toolbox_exec:file rx_file_perms;
 
 # Prepare profile dir for users.
 allow vold user_profile_data_file:dir create_dir_perms;
-allow vold user_profile_foreign_dex_data_file:dir { getattr setattr };
 
 # Raw writes to misc block device
 allow vold misc_block_device:blk_file w_file_perms;