Remove TZUvA feature.

The feature was superseded by tzdata mainline module(s). Bug: 148144561 Test: see system/timezone Test: m selinux_policy Change-Id: I48d445ac723ae310b8a134371342fc4c0d202300 Merged-In: I48d445ac723ae310b8a134371342fc4c0d202300
2019-04-30 22:12:54 +01:00 · 2019-04-30 22:12:54 +01:00 · 37888b33ba
commit 37888b33ba
parent f6fefa9d61
16 changed files with 7 additions and 58 deletions
--- a/private/compat/33.0/33.0.cil
+++ b/private/compat/33.0/33.0.cil
@ -10,6 +10,10 @@
 (type iorapd_exec)
 (type iorapd_service)
 (type iorapd_tmpfs)
+(type timezone_service)
+(type tzdatacheck)
+(type tzdatacheck_exec)
+(type zoneinfo_data_file)

 (expandtypeattribute (DockObserver_service_33_0) true)
 (expandtypeattribute (IProxyService_service_33_0) true)
--- a/private/file_contexts
+++ b/private/file_contexts
@ -325,7 +325,6 @@
 /system/bin/viewcompiler     u:object_r:viewcompiler_exec:s0
 /system/bin/sgdisk      u:object_r:sgdisk_exec:s0
 /system/bin/blkid       u:object_r:blkid_exec:s0
-/system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
 /system/bin/flags_health_check -- u:object_r:flags_health_check_exec:s0
 /system/bin/idmap u:object_r:idmap_exec:s0
 /system/bin/idmap2(d)?           u:object_r:idmap_exec:s0
@ -653,7 +652,6 @@
 /data/misc_ce/[0-9]+/wifi(/.*)? u:object_r:wifi_data_file:s0
 /data/misc/wifi/sockets(/.*)?   u:object_r:wpa_socket:s0
 /data/misc/wifi/sockets/wpa_ctrl.*   u:object_r:system_wpa_socket:s0
-/data/misc/zoneinfo(/.*)?       u:object_r:zoneinfo_data_file:s0
 /data/misc/vold(/.*)?           u:object_r:vold_data_file:s0
 /data/misc/update_engine(/.*)?  u:object_r:update_engine_data_file:s0
 /data/misc/update_engine_log(/.*)?  u:object_r:update_engine_log_data_file:s0
--- a/private/perfetto.te
+++ b/private/perfetto.te
@ -116,17 +116,13 @@ neverallow perfetto {
  # TODO(b/72998741) Remove exemption. Further restricted in a subsequent
  # neverallow. Currently only getattr and search are allowed.
  -vendor_data_file
-  -zoneinfo_data_file
  -perfetto_traces_data_file
  -perfetto_configs_data_file
  with_native_coverage(`-method_trace_data_file')
 }:dir *;
 neverallow perfetto { system_data_file -perfetto_traces_data_file }:dir ~{ getattr search };
-neverallow perfetto zoneinfo_data_file:dir ~r_dir_perms;
-neverallow perfetto { data_file_type -zoneinfo_data_file -perfetto_traces_data_file }:lnk_file *;
 neverallow perfetto {
  data_file_type
-  -zoneinfo_data_file
  -perfetto_traces_data_file
  -perfetto_configs_data_file
  with_native_coverage(`-method_trace_data_file')
--- a/private/platform_app.te
+++ b/private/platform_app.te
@ -67,7 +67,6 @@ allow platform_app mediadrmserver_service:service_manager find;
 allow platform_app persistent_data_block_service:service_manager find;
 allow platform_app radio_service:service_manager find;
 allow platform_app thermal_service:service_manager find;
-allow platform_app timezone_service:service_manager find;
 allow platform_app app_api_service:service_manager find;
 allow platform_app system_api_service:service_manager find;
 allow platform_app vr_manager_service:service_manager find;
--- a/private/service_contexts
+++ b/private/service_contexts
@ -347,7 +347,6 @@ textservices                              u:object_r:textservices_service:s0
 texttospeech                              u:object_r:texttospeech_service:s0
 time_detector                             u:object_r:timedetector_service:s0
 time_zone_detector                        u:object_r:timezonedetector_service:s0
-timezone                                  u:object_r:timezone_service:s0
 thermalservice                            u:object_r:thermal_service:s0
 tracing.proxy                             u:object_r:tracingproxy_service:s0
 translation                               u:object_r:translation_service:s0
--- a/private/system_server.te
+++ b/private/system_server.te
@ -613,10 +613,6 @@ allow system_server vpn_data_file:file create_file_perms;
 allow system_server wifi_data_file:dir create_dir_perms;
 allow system_server wifi_data_file:file create_file_perms;

-# Manage /data/misc/zoneinfo.
-allow system_server zoneinfo_data_file:dir create_dir_perms;
-allow system_server zoneinfo_data_file:file create_file_perms;
-
 # Manage /data/app-staging.
 allow system_server staging_data_file:dir create_dir_perms;
 allow system_server staging_data_file:file create_file_perms;
--- a/private/traced.te
+++ b/private/traced.te
@ -93,15 +93,11 @@ neverallow traced {
  # TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
  # subsequent neverallow. Currently only getattr and search are allowed.
  -vendor_data_file
-  -zoneinfo_data_file
  with_native_coverage(`-method_trace_data_file')
 }:dir *;
 neverallow traced { system_data_file }:dir ~{ getattr search };
-neverallow traced zoneinfo_data_file:dir ~r_dir_perms;
-neverallow traced { data_file_type -zoneinfo_data_file }:lnk_file *;
 neverallow traced {
  data_file_type
-  -zoneinfo_data_file
  -perfetto_traces_data_file
  -perfetto_traces_bugreport_data_file
  -trace_data_file
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@ -139,15 +139,11 @@ neverallow traced_probes {
  # TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
  # subsequent neverallow. Currently only getattr and search are allowed.
  -vendor_data_file
-  -zoneinfo_data_file
  with_native_coverage(`-method_trace_data_file')
 }:dir *;
 neverallow traced_probes system_data_file:dir ~{ getattr userdebug_or_eng(`open read') search };
-neverallow traced_probes zoneinfo_data_file:dir ~r_dir_perms;
-neverallow traced_probes { data_file_type -zoneinfo_data_file }:lnk_file *;
 neverallow traced_probes {
  data_file_type
-  -zoneinfo_data_file
  -packages_list_file
  with_native_coverage(`-method_trace_data_file')
  -game_mode_intervention_list_file
--- a/private/tzdatacheck.te
+++ b/private/tzdatacheck.te
@ -1,3 +0,0 @@
-typeattribute tzdatacheck coredomain;
-
-init_daemon_domain(tzdatacheck)
--- a/public/domain.te
+++ b/public/domain.te
@ -226,11 +226,10 @@ full_treble_only(`
 # read and stat any sysfs symlinks
 allow domain sysfs:lnk_file { getattr read };

-# libc references /data/misc/zoneinfo and /system/usr/share/zoneinfo for
-# timezone related information.
+# libc references /system/usr/share/zoneinfo for timezone related information.
 # This directory is considered to be a VNDK-stable
-allow domain { system_zoneinfo_file zoneinfo_data_file }:file r_file_perms;
-allow domain { system_zoneinfo_file zoneinfo_data_file }:dir r_dir_perms;
+allow domain { system_zoneinfo_file }:file r_file_perms;
+allow domain { system_zoneinfo_file }:dir r_dir_perms;

 # Lots of processes access current CPU information
 r_dir_file(domain, sysfs_devices_system_cpu)
@ -835,11 +834,6 @@ full_treble_only(`
    -vendor_init
  } {
    core_data_file_type
-    # libc includes functions like mktime and localtime which attempt to access
-    # files in /data/misc/zoneinfo/tzdata and /system/usr/share/zoneinfo/tzdata.
-    # These functions are considered vndk-stable and thus must be allowed for
-    # all processes.
-    -zoneinfo_data_file
    with_native_coverage(`-method_trace_data_file')
  }:file_class_set ~{ append getattr ioctl read write map };
  neverallow {
@ -848,7 +842,6 @@ full_treble_only(`
  } {
    core_data_file_type
    -unencrypted_data_file
-    -zoneinfo_data_file
    with_native_coverage(`-method_trace_data_file')
  }:file_class_set ~{ append getattr ioctl read write map };
  # vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
@ -869,7 +862,6 @@ full_treble_only(`
    -system_data_root_file
    -vendor_userdir_file
    -vendor_data_file
-    -zoneinfo_data_file
    with_native_coverage(`-method_trace_data_file')
  }:dir *;
  neverallow {
@ -882,7 +874,6 @@ full_treble_only(`
    -system_data_root_file
    -vendor_userdir_file
    -vendor_data_file
-    -zoneinfo_data_file
    with_native_coverage(`-method_trace_data_file')
  }:dir *;
  # vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
--- a/public/file.te
+++ b/public/file.te
@ -450,7 +450,6 @@ type textclassifier_data_file, file_type, data_file_type, core_data_file_type;
 type trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 type vpn_data_file, file_type, data_file_type, core_data_file_type;
 type wifi_data_file, file_type, data_file_type, core_data_file_type;
-type zoneinfo_data_file, file_type, data_file_type, core_data_file_type;
 type vold_data_file, file_type, data_file_type, core_data_file_type;
 type tee_data_file, file_type, data_file_type;
 type update_engine_data_file, file_type, data_file_type, core_data_file_type;
--- a/public/hal_configstore.te
+++ b/public/hal_configstore.te
@ -42,7 +42,6 @@ neverallow hal_configstore_server {
  data_file_type
  -anr_data_file # for crash dump collection
  -tombstone_data_file # for crash dump collection
-  -zoneinfo_data_file # granted to domain
  with_native_coverage(`-method_trace_data_file')
 }:{ file fifo_file sock_file } *;

--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@ -67,7 +67,6 @@ neverallow mediaextractor { domain userdebug_or_eng(`-su') }:tcp_socket *;
 # descriptor opened outside the process.
 neverallow mediaextractor {
  data_file_type
-  -zoneinfo_data_file # time zone data from /data/misc/zoneinfo
  userdebug_or_eng(`-apk_data_file') # for loading media extractor plugins
  with_native_coverage(`-method_trace_data_file')
 }:file open;
--- a/public/service.te
+++ b/public/service.te
@ -227,7 +227,6 @@ type texttospeech_service, app_api_service, ephemeral_app_api_service, system_se
 type telecom_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type thermal_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type timedetector_service, app_api_service, system_server_service, service_manager_type;
-type timezone_service, system_server_service, service_manager_type;
 type timezonedetector_service, app_api_service, system_server_service, service_manager_type;
 type translation_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
 type trust_service, app_api_service, system_server_service, service_manager_type;
--- a/public/shell.te
+++ b/public/shell.te
@ -60,7 +60,6 @@ allow shell input_device:chr_file r_file_perms;
 r_dir_file(shell, system_file)
 allow shell system_file:file x_file_perms;
 allow shell toolbox_exec:file rx_file_perms;
-allow shell tzdatacheck_exec:file rx_file_perms;
 allow shell shell_exec:file rx_file_perms;
 allow shell zygote_exec:file rx_file_perms;

--- a/public/tzdatacheck.te
+++ b/public/tzdatacheck.te
@ -1,18 +0,0 @@
-# The tzdatacheck command run by init.
-type tzdatacheck, domain;
-type tzdatacheck_exec, system_file_type, exec_type, file_type;
-
-allow tzdatacheck zoneinfo_data_file:dir create_dir_perms;
-allow tzdatacheck zoneinfo_data_file:file unlink;
-
-# Below are strong assertion that only init, system_server and tzdatacheck
-# can modify the /data time zone rules directories. This is to make it very
-# clear that only these domains should modify the actual time zone rules data.
-# The tzdatacheck binary itself may be executed by shell for tests but it must
-# not be able to modify the real rules.
-# If other users / binaries could modify time zone rules on device this might
-# have negative implications for users (who may get incorrect local times)
-# or break assumptions made / invalidate data held by the components actually
-# responsible for updating time zone rules.
-neverallow { domain -system_server -init -tzdatacheck } zoneinfo_data_file:file no_w_file_perms;
-neverallow { domain -system_server -init -tzdatacheck } zoneinfo_data_file:dir no_w_dir_perms;