Remove remaining APEX sepolicy types
Bug: 297794885 Test: boot cuttlefish Change-Id: I2ff465217adcf1bb0267ea6d487a9a46b6584458
This commit is contained in:
Inseob Kim
parent
fcc90e8af2
commit
2f0bcc1b0a
6 changed files with 0 additions and 57 deletions
|
|
@ -14,10 +14,6 @@ allow system_data_file tmpfs:filesystem associate;
|
|||
|
||||
type authfs_fuse, fs_type, contextmount_type;
|
||||
|
||||
# /dev/selinux/test - used to verify that apex sepolicy is loaded and
|
||||
# property labeled.
|
||||
type sepolicy_test_file, file_type;
|
||||
|
||||
# /system/bin/mke2fs - used to format encryptedstore block device
|
||||
type e2fs_exec, system_file_type, exec_type, file_type;
|
||||
|
||||
|
|
|
|||
|
|
@ -81,16 +81,3 @@ allow kernel apexd:fd use;
|
|||
|
||||
#-----------------------------------------
|
||||
allow kernel apkdmverity:fd use;
|
||||
|
||||
# Some contexts are changed before the device is flipped into enforcing mode
|
||||
# during the setup of Apex sepolicy. These denials can be suppressed since
|
||||
# the permissions should not be allowed after the device is flipped into
|
||||
# enforcing mode.
|
||||
dontaudit kernel device:dir { open read relabelto };
|
||||
dontaudit kernel tmpfs:file { getattr open read relabelfrom };
|
||||
dontaudit kernel {
|
||||
file_contexts_file
|
||||
property_contexts_file
|
||||
sepolicy_test_file
|
||||
service_contexts_file
|
||||
}:file relabelto;
|
||||
|
|
|
|||
|
|
@ -13,14 +13,6 @@ allow apexd metadata_file:dir search;
|
|||
allow apexd apex_metadata_file:dir create_dir_perms;
|
||||
allow apexd apex_metadata_file:file create_file_perms;
|
||||
|
||||
# Allow creating and writing APEX files/dirs in the SEPolicy metadata dir
|
||||
allow apexd sepolicy_metadata_file:dir create_dir_perms;
|
||||
allow apexd sepolicy_metadata_file:file create_file_perms;
|
||||
# Allow apexd to setup fs-verity for SEPolicy files in metadata
|
||||
allowxperm apexd sepolicy_metadata_file:file ioctl {
|
||||
FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
|
||||
};
|
||||
|
||||
# Allow reserving space on /data/apex/ota_reserved for apex decompression
|
||||
allow apexd apex_ota_reserved_file:dir create_dir_perms;
|
||||
allow apexd apex_ota_reserved_file:file create_file_perms;
|
||||
|
|
|
|||
|
|
@ -118,13 +118,6 @@ type compos_exec, exec_type, file_type, system_file_type;
|
|||
# /apex/com.android.compos/bin/compos_key_helper
|
||||
type compos_key_helper_exec, exec_type, file_type, system_file_type;
|
||||
|
||||
# /metadata/sepolicy
|
||||
type sepolicy_metadata_file, file_type;
|
||||
|
||||
# /dev/selinux/test - used to verify that apex sepolicy is loaded and
|
||||
# property labeled.
|
||||
type sepolicy_test_file, file_type;
|
||||
|
||||
# /apex/com.android.art/bin/art_exec
|
||||
# This executable does not have its own domain because it is executed in the caller's domain. For
|
||||
# example, it is executed in the `artd` domain when artd calls it.
|
||||
|
|
|
|||
|
|
@ -205,14 +205,6 @@
|
|||
#
|
||||
/linkerconfig(/.*)? u:object_r:linkerconfig_file:s0
|
||||
|
||||
# Apex sepoolicy files.
|
||||
/dev/selinux/apex_file_contexts u:object_r:file_contexts_file:s0
|
||||
/dev/selinux/apex_seapp_contexts u:object_r:seapp_contexts_file:s0
|
||||
/dev/selinux/apex_service_contexts u:object_r:service_contexts_file:s0
|
||||
/dev/selinux/apex_property_contexts u:object_r:property_contexts_file:s0
|
||||
/dev/selinux/apex_hwservice_contexts u:object_r:hwservice_contexts_file:s0
|
||||
/dev/selinux/apex_mac_permissions\.xml u:object_r:mac_perms_file:s0
|
||||
|
||||
#############################
|
||||
# System files
|
||||
#
|
||||
|
|
@ -844,7 +836,6 @@
|
|||
/metadata/password_slots(/.*)? u:object_r:password_slot_metadata_file:s0
|
||||
/metadata/ota(/.*)? u:object_r:ota_metadata_file:s0
|
||||
/metadata/bootstat(/.*)? u:object_r:metadata_bootstat_file:s0
|
||||
/metadata/sepolicy(/.*)? u:object_r:sepolicy_metadata_file:s0
|
||||
/metadata/staged-install(/.*)? u:object_r:staged_install_file:s0
|
||||
/metadata/userspacereboot(/.*)? u:object_r:userspace_reboot_metadata_file:s0
|
||||
/metadata/watchdog(/.*)? u:object_r:watchdog_metadata_file:s0
|
||||
|
|
|
|||
|
|
@ -44,19 +44,3 @@ dontaudit kernel dm_user_device:dir { write add_name };
|
|||
dontaudit kernel dm_user_device:chr_file { create setattr };
|
||||
dontaudit kernel tmpfs:lnk_file read;
|
||||
dontaudit kernel tmpfs:blk_file { open read };
|
||||
|
||||
# Some contexts are changed before the device is flipped into enforcing mode
|
||||
# during the setup of Apex sepolicy. These denials can be suppressed since
|
||||
# the permissions should not be allowed after the device is flipped into
|
||||
# enforcing mode.
|
||||
dontaudit kernel device:dir { open read relabelto };
|
||||
dontaudit kernel tmpfs:file { getattr open read relabelfrom };
|
||||
dontaudit kernel {
|
||||
file_contexts_file
|
||||
hwservice_contexts_file
|
||||
mac_perms_file
|
||||
property_contexts_file
|
||||
seapp_contexts_file
|
||||
sepolicy_test_file
|
||||
service_contexts_file
|
||||
}:file relabelto;
|
||||
|
|
|
|||
Loading…
Reference in a new issue