Merge "[sepolicy] remove vendor_incremental_module from global sepolicy rules" into rvc-dev

2020-03-09 01:40:27 +00:00 · 2020-03-09 01:40:27 +00:00 · 3daa20f14f
commit 3daa20f14f
parent 7ab65fadb7 5d7887850b
5 changed files with 1 additions and 10 deletions
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@ -105,7 +105,6 @@
    tv_tuner_resource_mgr_service
    vendor_apex_file
    vendor_boringssl_self_test
-    vendor_incremental_module
    vendor_install_recovery
    vendor_install_recovery_exec
    vendor_socket_hook_prop
--- a/private/file_contexts
+++ b/private/file_contexts
@ -374,7 +374,6 @@
 /(vendor|system/vendor)/apex(/[^/]+){0,2}                      u:object_r:vendor_apex_file:s0
 /(vendor|system/vendor)/bin/misc_writer                        u:object_r:vendor_misc_writer_exec:s0
 /(vendor|system/vendor)/bin/boringssl_self_test(32|64)         u:object_r:vendor_boringssl_self_test_exec:s0
-(/vendor|system/vendor)/lib(64)?/modules/incrementalfs\.ko     u:object_r:vendor_incremental_module:s0

 # HAL location
 /(vendor|system/vendor)/lib(64)?/hw            u:object_r:vendor_hal_file:s0
--- a/public/domain.te
+++ b/public/domain.te
@ -996,6 +996,7 @@ full_treble_only(`
    -system_executes_vendor_violators
    -traced_perf # library/binary access for symbolization
    -ueventd # reads /vendor/ueventd.rc
+    -vold # loads incremental fs driver
  } {
    vendor_file_type
    -same_process_hal_file
@ -1009,7 +1010,6 @@ full_treble_only(`
    -vendor_overlay_file
    -vendor_public_lib_file
    -vendor_task_profiles_file
-    -vendor_incremental_module
    -vndk_sp_file
  }:file *;
 ')
--- a/public/file.te
+++ b/public/file.te
@ -210,8 +210,6 @@ type vendor_overlay_file, vendor_file_type, file_type;
 # Type for all vendor public libraries. These libs should only be exposed to
 # apps. ABI stability of these libs is vendor's responsibility.
 type vendor_public_lib_file, vendor_file_type, file_type;
-# Default type for incremental file system driver
-type vendor_incremental_module, vendor_file_type, file_type;

 # Input configuration
 type vendor_keylayout_file, vendor_file_type, file_type;
--- a/public/vold.te
+++ b/public/vold.te
@ -52,11 +52,6 @@ allowxperm vold data_file_type:dir ioctl {
  FS_IOC_REMOVE_ENCRYPTION_KEY
 };

-# Allow to load incremental file system driver
-allow vold self:capability sys_module;
-allow vold vendor_incremental_module:file r_file_perms;
-allow vold vendor_incremental_module:system module_load;
-
 # Only vold and init should ever set file-based encryption policies.
 neverallowxperm {
  domain