Remove policy for non-existent devices

We still had policy for devices which do not currently exist in
Microdroid. Remove the unused types and all references to them in the
policy, since they have no effect and just bloat the policy.

While I'm here, delete all the bug_map entries. We don't use the
bug_map in Microdroid, and this is just an outdated snapshot from host
policy.

Bug: 274752167
Test: atest MicrodroidTests
Test: composd-cmd test-compile
Change-Id: I3ab90f8e3517c41eff0052a0c8f6610fa35ccdcb
This commit is contained in:
Alan Stokes 2023-03-24 18:06:35 +00:00
parent 1b382aa8b0
commit 4f92d5bd99
9 changed files with 0 additions and 88 deletions

View file

@ -1,35 +0,0 @@
dnsmasq netd fifo_file b/77868789
dnsmasq netd unix_stream_socket b/77868789
gmscore_app system_data_file dir b/146166941
init app_data_file file b/77873135
init cache_file blk_file b/77873135
init logpersist file b/77873135
init nativetest_data_file dir b/77873135
init pstorefs dir b/77873135
init shell_data_file dir b/77873135
init shell_data_file file b/77873135
init shell_data_file lnk_file b/77873135
init shell_data_file sock_file b/77873135
init system_data_file chr_file b/77873135
isolated_app privapp_data_file dir b/119596573
isolated_app app_data_file dir b/120394782
mediaextractor app_data_file file b/77923736
mediaextractor radio_data_file file b/77923736
mediaprovider cache_file blk_file b/77925342
mediaprovider mnt_media_rw_file dir b/77925342
mediaprovider shell_data_file dir b/77925342
mediaswcodec ashmem_device chr_file b/142679232
netd priv_app unix_stream_socket b/77870037
netd untrusted_app unix_stream_socket b/77870037
netd untrusted_app_25 unix_stream_socket b/77870037
netd untrusted_app_27 unix_stream_socket b/77870037
netd untrusted_app_29 unix_stream_socket b/77870037
platform_app nfc_data_file dir b/74331887
system_server crash_dump process b/73128755
system_server overlayfs_file file b/142390309
system_server sdcardfs file b/77856826
system_server zygote process b/77856826
untrusted_app untrusted_app netlink_route_socket b/155595000
vold system_data_file file b/124108085
zygote untrusted_app_25 process b/77925912
zygote labeledfs filesystem b/170748799

View file

@ -185,10 +185,6 @@ allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
# named pipes, and named sockets). We start off with a safe set. # named pipes, and named sockets). We start off with a safe set.
allowxperm domain { file_type fs_type domain dev_type }:{ dir notdevfile_class_set blk_file } ioctl { FIOCLEX FIONCLEX }; allowxperm domain { file_type fs_type domain dev_type }:{ dir notdevfile_class_set blk_file } ioctl { FIOCLEX FIONCLEX };
# If a domain has ioctl access to tun_device, it must clearly enumerate the
# ioctls used. Safe defaults are listed below.
allowxperm domain tun_device:chr_file ioctl { FIOCLEX FIONCLEX };
# Allow a process to make a determination whether a file descriptor # Allow a process to make a determination whether a file descriptor
# for a plain file or pipe (fifo_file) is a tty. Note that granting # for a plain file or pipe (fifo_file) is a tty. Note that granting
# this allowlist to domain does not grant the ioctl permission to # this allowlist to domain does not grant the ioctl permission to
@ -229,8 +225,6 @@ allow domain cgroup_v2:dir search;
allow { domain } cgroup_v2:dir w_dir_perms; allow { domain } cgroup_v2:dir w_dir_perms;
allow { domain } cgroup_v2:file w_file_perms; allow { domain } cgroup_v2:file w_file_perms;
allow domain cgroup_rc_file:dir search;
allow domain cgroup_rc_file:file r_file_perms;
allow domain task_profiles_file:file r_file_perms; allow domain task_profiles_file:file r_file_perms;
allow domain task_profiles_api_file:file r_file_perms; allow domain task_profiles_api_file:file r_file_perms;
@ -533,12 +527,6 @@ neverallow domain {
neverallow domain cgroup:file create; neverallow domain cgroup:file create;
neverallow domain cgroup_v2:file create; neverallow domain cgroup_v2:file create;
# Only apps targetting < Q are allowed to open /dev/ashmem directly.
# Apps must use ASharedMemory NDK API. Native code must use libcutils API.
neverallow {
domain
} ashmem_device:chr_file open;
neverallow { domain -init -vendor_init -traced_probes } debugfs_tracing_printk_formats:file *; neverallow { domain -init -vendor_init -traced_probes } debugfs_tracing_printk_formats:file *;
# Linux lockdown "integrity" level is enforced for user builds. # Linux lockdown "integrity" level is enforced for user builds.

View file

@ -1,7 +1,6 @@
allow fs_type self:filesystem associate; allow fs_type self:filesystem associate;
allow cgroup tmpfs:filesystem associate; allow cgroup tmpfs:filesystem associate;
allow cgroup_v2 tmpfs:filesystem associate; allow cgroup_v2 tmpfs:filesystem associate;
allow cgroup_rc_file tmpfs:filesystem associate;
allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate; allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate;
allow dev_type tmpfs:filesystem associate; allow dev_type tmpfs:filesystem associate;
allow encryptedstore_file encryptedstore_fs:filesystem associate; allow encryptedstore_file encryptedstore_fs:filesystem associate;

View file

@ -32,8 +32,6 @@
# Devices # Devices
# #
/dev(/.*)? u:object_r:device:s0 /dev(/.*)? u:object_r:device:s0
/dev/ashmem u:object_r:ashmem_device:s0
/dev/ashmem(.*)? u:object_r:ashmem_libcutils_device:s0
/dev/block(/.*)? u:object_r:block_device:s0 /dev/block(/.*)? u:object_r:block_device:s0
/dev/block/dm-[0-9]+ u:object_r:dm_device:s0 /dev/block/dm-[0-9]+ u:object_r:dm_device:s0
/dev/block/loop[0-9]* u:object_r:loop_device:s0 /dev/block/loop[0-9]* u:object_r:loop_device:s0
@ -41,14 +39,8 @@
/dev/block/ram[0-9]* u:object_r:ram_device:s0 /dev/block/ram[0-9]* u:object_r:ram_device:s0
/dev/block/zram[0-9]* u:object_r:ram_device:s0 /dev/block/zram[0-9]* u:object_r:ram_device:s0
/dev/console u:object_r:console_device:s0 /dev/console u:object_r:console_device:s0
/dev/dma_heap(/.*)? u:object_r:dmabuf_heap_device:s0
/dev/dma_heap/system u:object_r:dmabuf_system_heap_device:s0
/dev/dma_heap/system-uncached u:object_r:dmabuf_system_heap_device:s0
/dev/dma_heap/system-secure(.*) u:object_r:dmabuf_system_secure_heap_device:s0
/dev/dm-user(/.*)? u:object_r:dm_user_device:s0 /dev/dm-user(/.*)? u:object_r:dm_user_device:s0
/dev/device-mapper u:object_r:dm_device:s0 /dev/device-mapper u:object_r:dm_device:s0
/dev/event-log-tags u:object_r:runtime_event_log_tags_file:s0
/dev/cgroup_info(/.*)? u:object_r:cgroup_rc_file:s0
/dev/fuse u:object_r:fuse_device:s0 /dev/fuse u:object_r:fuse_device:s0
/dev/hvc0 u:object_r:serial_device:s0 /dev/hvc0 u:object_r:serial_device:s0
/dev/hvc1 u:object_r:serial_device:s0 /dev/hvc1 u:object_r:serial_device:s0
@ -59,7 +51,6 @@
/dev/ptmx u:object_r:ptmx_device:s0 /dev/ptmx u:object_r:ptmx_device:s0
/dev/kmsg u:object_r:kmsg_device:s0 /dev/kmsg u:object_r:kmsg_device:s0
/dev/kmsg_debug u:object_r:kmsg_debug_device:s0 /dev/kmsg_debug u:object_r:kmsg_debug_device:s0
/dev/kvm u:object_r:kvm_device:s0
/dev/null u:object_r:null_device:s0 /dev/null u:object_r:null_device:s0
/dev/open-dice0 u:object_r:open_dice_device:s0 /dev/open-dice0 u:object_r:open_dice_device:s0
/dev/random u:object_r:random_device:s0 /dev/random u:object_r:random_device:s0
@ -73,17 +64,10 @@
/dev/socket/vm_payload_service u:object_r:vm_payload_service_socket:s0 /dev/socket/vm_payload_service u:object_r:vm_payload_service_socket:s0
/dev/socket/traced_consumer u:object_r:traced_consumer_socket:s0 /dev/socket/traced_consumer u:object_r:traced_consumer_socket:s0
/dev/socket/traced_producer u:object_r:traced_producer_socket:s0 /dev/socket/traced_producer u:object_r:traced_producer_socket:s0
/dev/sys/block/by-name/userdata(/.*)? u:object_r:userdata_sysdev:s0
/dev/sys/fs/by-name/userdata(/.*)? u:object_r:userdata_sysdev:s0
/dev/tty u:object_r:owntty_device:s0 /dev/tty u:object_r:owntty_device:s0
/dev/tty[0-9]* u:object_r:tty_device:s0 /dev/tty[0-9]* u:object_r:tty_device:s0
/dev/ttyS[0-9]* u:object_r:serial_device:s0 /dev/ttyS[0-9]* u:object_r:serial_device:s0
/dev/tun u:object_r:tun_device:s0
/dev/uhid u:object_r:uhid_device:s0
/dev/uinput u:object_r:uhid_device:s0
/dev/uio[0-9]* u:object_r:uio_device:s0
/dev/urandom u:object_r:random_device:s0 /dev/urandom u:object_r:random_device:s0
/dev/vhost-vsock u:object_r:kvm_device:s0
/dev/vsock u:object_r:vsock_device:s0 /dev/vsock u:object_r:vsock_device:s0
/dev/zero u:object_r:zero_device:s0 /dev/zero u:object_r:zero_device:s0
/dev/__properties__ u:object_r:properties_device:s0 /dev/__properties__ u:object_r:properties_device:s0

View file

@ -27,7 +27,6 @@ allow init vd_device:blk_file relabelto;
allow init { allow init {
dev_type dev_type
-hw_random_device -hw_random_device
-kvm_device
}:chr_file setattr; }:chr_file setattr;
# /dev/__null__ node created by init. # /dev/__null__ node created by init.
@ -40,9 +39,6 @@ allow init property_type:file { append create getattr map open read relabelto re
# /dev/__properties__/property_info # /dev/__properties__/property_info
allow init properties_device:file create_file_perms; allow init properties_device:file create_file_perms;
allow init property_info:file relabelto; allow init property_info:file relabelto;
# /dev/event-log-tags
allow init device:file relabelfrom;
allow init runtime_event_log_tags_file:file { open write setattr relabelto create };
# /dev/socket # /dev/socket
allow init { device socket_device dm_user_device }:dir relabelto; allow init { device socket_device dm_user_device }:dir relabelto;
# Relabel /dev nodes created in first stage init: /dev/console, /dev/null, /dev/ptmx, /dev/random # Relabel /dev nodes created in first stage init: /dev/console, /dev/null, /dev/ptmx, /dev/random
@ -114,7 +110,6 @@ allow init tmpfs:dir create_dir_perms;
allow init tmpfs:dir mounton; allow init tmpfs:dir mounton;
allow init cgroup:dir create_dir_perms; allow init cgroup:dir create_dir_perms;
allow init cgroup:file rw_file_perms; allow init cgroup:file rw_file_perms;
allow init cgroup_rc_file:file rw_file_perms;
allow init cgroup_desc_file:file r_file_perms; allow init cgroup_desc_file:file r_file_perms;
allow init cgroup_desc_api_file:file r_file_perms; allow init cgroup_desc_api_file:file r_file_perms;
allow init cgroup_v2:dir { mounton create_dir_perms}; allow init cgroup_v2:dir { mounton create_dir_perms};
@ -181,7 +176,6 @@ allow init {
file_type file_type
-apex_info_file -apex_info_file
-exec_type -exec_type
-runtime_event_log_tags_file
-shell_data_file -shell_data_file
-system_file_type -system_file_type
-vendor_file_type -vendor_file_type

View file

@ -1,8 +1,5 @@
typeattribute shell coredomain; typeattribute shell coredomain;
# allow shell input injection
allow shell uhid_device:chr_file rw_file_perms;
# Perform SELinux access checks, needed for CTS # Perform SELinux access checks, needed for CTS
selinux_check_access(shell) selinux_check_access(shell)
selinux_check_context(shell) selinux_check_context(shell)

View file

@ -1,24 +1,17 @@
type ashmem_device, dev_type;
type ashmem_libcutils_device, dev_type;
type block_device, dev_type; type block_device, dev_type;
type console_device, dev_type; type console_device, dev_type;
type device, dev_type, fs_type; type device, dev_type, fs_type;
type dm_device, dev_type; type dm_device, dev_type;
type dm_user_device, dev_type; type dm_user_device, dev_type;
type dmabuf_heap_device, dev_type, dmabuf_heap_device_type;
type dmabuf_system_heap_device, dev_type, dmabuf_heap_device_type;
type dmabuf_system_secure_heap_device, dev_type, dmabuf_heap_device_type;
type fuse_device, dev_type; type fuse_device, dev_type;
type hw_random_device, dev_type; type hw_random_device, dev_type;
type kmsg_debug_device, dev_type; type kmsg_debug_device, dev_type;
type kmsg_device, dev_type; type kmsg_device, dev_type;
type kvm_device, dev_type;
type loop_control_device, dev_type; type loop_control_device, dev_type;
type loop_device, dev_type; type loop_device, dev_type;
type null_device, dev_type; type null_device, dev_type;
type open_dice_device, dev_type; type open_dice_device, dev_type;
type owntty_device, dev_type; type owntty_device, dev_type;
type ppp_device, dev_type;
type properties_device, dev_type; type properties_device, dev_type;
type properties_serial, dev_type; type properties_serial, dev_type;
type property_info, dev_type; type property_info, dev_type;
@ -30,10 +23,6 @@ type serial_device, dev_type;
type log_device, dev_type; type log_device, dev_type;
type socket_device, dev_type; type socket_device, dev_type;
type tty_device, dev_type; type tty_device, dev_type;
type tun_device, dev_type;
type uhid_device, dev_type;
type uio_device, dev_type;
type userdata_sysdev, dev_type;
type vd_device, dev_type; type vd_device, dev_type;
type vsock_device, dev_type; type vsock_device, dev_type;
type zero_device, dev_type; type zero_device, dev_type;

View file

@ -8,14 +8,12 @@ type authfs_data_file, file_type, data_file_type, core_data_file_type;
type authfs_service_socket, file_type, coredomain_socket; type authfs_service_socket, file_type, coredomain_socket;
type cgroup_desc_api_file, file_type, system_file_type; type cgroup_desc_api_file, file_type, system_file_type;
type cgroup_desc_file, file_type, system_file_type; type cgroup_desc_file, file_type, system_file_type;
type cgroup_rc_file, file_type;
type extra_apk_file, file_type; type extra_apk_file, file_type;
type file_contexts_file, file_type, system_file_type; type file_contexts_file, file_type, system_file_type;
type linkerconfig_file, file_type; type linkerconfig_file, file_type;
type nativetest_data_file, file_type, data_file_type, core_data_file_type; type nativetest_data_file, file_type, data_file_type, core_data_file_type;
type property_contexts_file, file_type, system_file_type; type property_contexts_file, file_type, system_file_type;
type property_socket, file_type, coredomain_socket; type property_socket, file_type, coredomain_socket;
type runtime_event_log_tags_file, file_type;
type sepolicy_file, file_type, system_file_type; type sepolicy_file, file_type, system_file_type;
type service_contexts_file, file_type, system_file_type; type service_contexts_file, file_type, system_file_type;
type shell_data_file, file_type, data_file_type, core_data_file_type; type shell_data_file, file_type, data_file_type, core_data_file_type;

View file

@ -49,7 +49,6 @@ allow vendor_init unlabeled:{ dir notdevfile_class_set } { getattr relabelfrom }
allow vendor_init { allow vendor_init {
file_type file_type
-exec_type -exec_type
-runtime_event_log_tags_file
-system_file_type -system_file_type
-unlabeled -unlabeled
-vendor_file_type -vendor_file_type
@ -144,6 +143,5 @@ allow vendor_init self:capability sys_nice;
# chown/chmod on devices, e.g. /dev/ttyHS0 # chown/chmod on devices, e.g. /dev/ttyHS0
allow vendor_init { allow vendor_init {
dev_type dev_type
-kvm_device
-hw_random_device -hw_random_device
}:chr_file setattr; }:chr_file setattr;