Remove redundant sepolicy

We don't use MLS in Microdroid, so we don't need MLS rules, nor mlstrusted[subject|object] labels. (We keep one MLS rule to satisfy checkpolicy.) A lot of attributes are unused in Microdroid, so we can remove their declarations and any references to them. (That may not make the compiled policy smaller, since hopefully they get optimised out anyway, but it means there is less policy for humans to deal with.) Remove labels that relate only to apps, which we don't have - MAC permissions, run-as, seapp_contexts. In passing, fix a comment snafu in both system & microdroid policy. Bug: 223596375 Test: Run staged-apex-compile & compos_verify, no denials Test: atest MicrodroidTests MicrodroidHostTestCases Change-Id: Ifd3589945a2d8b4c0361e00eec5678795513fd8c
2022-03-09 16:41:06 +00:00 · 2022-03-09 16:41:06 +00:00 · 7bde36e94e
commit 7bde36e94e
parent 45b7782c2b
19 changed files with 67 additions and 380 deletions
--- a/microdroid/system/private/adbd.te
+++ b/microdroid/system/private/adbd.te
@ -1,5 +1,4 @@
 typeattribute adbd coredomain;
 typeattribute adbd mlstrustedsubject;
 init_daemon_domain(adbd)
--- a/microdroid/system/private/attributes
+++ b/microdroid/system/private/attributes
@ -1,12 +1 @@
-hal_attribute(lazy_test);
+#
 # This is applied to apps on vendor images with SDK <=30 only,
 # to exempt them from recent mls changes. It must not be applied
 # to any domain on newer system or vendor image.
 attribute mlsvendorcompat;
 # Attributes for property types having both system_property_type
 # and vendor_property_type. Such types are ill-formed because
 # property owner attributes must be exclusive.
 attribute system_and_vendor_property_type;
 expandattribute system_and_vendor_property_type false;
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@ -182,7 +182,7 @@ allow domain fs_type:dir getattr;
 allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket }
  ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
 # default allowlist for unix sockets.
-allowxperm domain { domain pdx_channel_socket_type }:{ unix_dgram_socket unix_stream_socket }
+allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
  ioctl unpriv_unix_sock_ioctls;
 # Restrict PTYs to only allowed ioctls.
@ -427,10 +427,6 @@ neverallow {
  domain
  -tombstoned
  -crash_dump
  # Processes that can't exec crash_dump
  -hal_codec2_server
  -hal_omx_server
 } tombstoned_crash_socket:unix_stream_socket connectto;
 # Never allow anyone to connect or write to
@ -500,7 +496,6 @@ neverallow {
  domain
  -adbd
  -init
  -runas
 } shell:process { transition dyntransition };
 # Minimize read access to shell-writable symlinks.
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@ -112,7 +112,6 @@
 /system/bin/init		u:object_r:init_exec:s0
 /system/bin/logcat	--	u:object_r:logcat_exec:s0
 /system/bin/logd        u:object_r:logd_exec:s0
 /system/bin/run-as	--	u:object_r:runas_exec:s0
 /system/bin/sh		--	u:object_r:shell_exec:s0
 /system/bin/tombstoned u:object_r:tombstoned_exec:s0
 /system/bin/toolbox	--	u:object_r:toolbox_exec:s0
@ -132,11 +131,9 @@
 /system/etc/seccomp_policy(/.*)?        u:object_r:system_seccomp_policy_file:s0
 /system/etc/security/cacerts(/.*)?      u:object_r:system_security_cacerts_file:s0
 /system/etc/selinux/mapping/[0-9]+\.[0-9]+\.cil       u:object_r:sepolicy_file:s0
 /system/etc/selinux/plat_mac_permissions\.xml u:object_r:mac_perms_file:s0
 /system/etc/selinux/plat_property_contexts  u:object_r:property_contexts_file:s0
 /system/etc/selinux/plat_service_contexts  u:object_r:service_contexts_file:s0
 /system/etc/selinux/plat_file_contexts  u:object_r:file_contexts_file:s0
 /system/etc/selinux/plat_seapp_contexts  u:object_r:seapp_contexts_file:s0
 /system/etc/selinux/plat_sepolicy\.cil       u:object_r:sepolicy_file:s0
 /system/etc/selinux/plat_and_mapping_sepolicy\.cil\.sha256 u:object_r:sepolicy_file:s0
 /system/etc/task_profiles\.json  u:object_r:task_profiles_file:s0
--- a/microdroid/system/private/kernel.te
+++ b/microdroid/system/private/kernel.te
@ -90,9 +90,7 @@ dontaudit kernel device:dir { open read relabelto };
 dontaudit kernel tmpfs:file { getattr open read relabelfrom };
 dontaudit kernel {
  file_contexts_file
  mac_perms_file
  property_contexts_file
  seapp_contexts_file
  sepolicy_test_file
  service_contexts_file
 }:file relabelto;
--- a/microdroid/system/private/mls
+++ b/microdroid/system/private/mls
@ -2,88 +2,11 @@
 # MLS policy constraints
 #
-#
+# We aren't using MLS in Microdroid. But the policy grammar requires
-# Process constraints
+# at least one MLS declaration, and checkpolicy enforces this. We
-#
+# don't want to disable MLS, since we share some file labels with the
 # host (e.g. files in APEXes) which does have MLS. So we include this
 # fairly harmless constraint.
-# Process transition:  Require equivalence unless the subject is trusted.
+# Process transition:  Require equivalence.
-mlsconstrain process { transition dyntransition }
+mlsconstrain process { transition dyntransition } (h1 eq h2 and l1 eq l2);
 	     ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
 # Process read operations: No read up unless trusted.
 mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share }
 	     (l1 dom l2 or t1 == mlstrustedsubject);
 # Process write operations:  Require equivalence unless trusted.
 mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit ptrace share }
 	     (l1 eq l2 or t1 == mlstrustedsubject);
 #
 # Socket constraints
 #
 # Create/relabel operations:  Subject must be equivalent to object unless
 # the subject is trusted.  Sockets inherit the range of their creator.
 mlsconstrain socket_class_set { create relabelfrom relabelto }
 	     ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
 # Datagram send: Sender must be equivalent to the receiver unless one of them
 # is trusted.
 mlsconstrain unix_dgram_socket { sendto }
 	     (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
 # Stream connect:  Client must be equivalent to server unless one of them
 # is trusted.
 mlsconstrain unix_stream_socket { connectto }
 	     (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
 #
 # Directory/file constraints
 #
 # Create/relabel operations:  Subject must be equivalent to object unless
 # the subject is trusted. Also, files should always be single-level.
 # Do NOT exempt mlstrustedobject types from this constraint.
 mlsconstrain dir_file_class_set { create relabelfrom relabelto }
 	     (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject));
 #
 # Constraints for file types other than app data files.
 #
 # Read operations: Subject must dominate object unless the subject
 # or the object is trusted.
 mlsconstrain dir { read getattr search }
 	     (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject
 	     or (t1 == mlsvendorcompat and t2 == system_data_file) );
 mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
 	     (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
 # Write operations: Subject must be equivalent to the object unless the
 # subject or the object is trusted.
 mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir }
 	     (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
 mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename }
 	     (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
 # Special case for FIFOs.
 # These can be unnamed pipes, in which case they will be labeled with the
 # creating process' label. Thus we also have an exemption when the "object"
 # is a domain type, so that processes can communicate via unnamed pipes
 # passed by binder or local socket IPC.
 mlsconstrain fifo_file { read getattr }
 	     (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);
 mlsconstrain fifo_file { write setattr append unlink link rename }
 	     (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);
 #
 # Binder IPC constraints
 #
 # Presently commented out, as apps are expected to call one another.
 # This would only make sense if apps were assigned categories
 # based on allowable communications rather than per-app categories.
 #mlsconstrain binder call
 #	(l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
--- a/microdroid/system/private/shell.te
+++ b/microdroid/system/private/shell.te
@ -1,4 +1,4 @@
-typeattribute shell coredomain, mlstrustedsubject;
+typeattribute shell coredomain;
 # allow shell input injection
 allow shell uhid_device:chr_file rw_file_perms;
--- a/microdroid/system/public/attributes
+++ b/microdroid/system/public/attributes
@ -37,11 +37,6 @@ expandattribute data_file_type false;
 attribute core_data_file_type;
 expandattribute core_data_file_type false;
 # All types used for app private data files in seapp_contexts.
 # Such types should not be applied to any other files.
 attribute app_data_file_type;
 expandattribute app_data_file_type false;
 # All types in /system
 attribute system_file_type;
@ -85,18 +80,6 @@ attribute port_type;
 # definition in tools/checkfc.c.
 attribute property_type;
 # All properties defined in core SELinux policy. Should not be
 # used by device specific properties
 attribute core_property_type;
 # All properties used to configure log filtering.
 attribute log_property_type;
 # All properties that are not specific to device but are added from
 # outside of AOSP. (e.g. OEM-specific properties)
 # These properties are not accessible from device-specific domains
 attribute extended_core_property_type;
 # Properties used for representing ownership. All properties should have one
 # of: system_property_type, product_property_type, or vendor_property_type.
@ -116,9 +99,6 @@ expandattribute system_restricted_property_type false;
 attribute system_public_property_type;
 expandattribute system_public_property_type false;
 # All keystore2_key labels.
 attribute keystore2_key_type;
 # All properties defined by /product.
 # Currently there are no enforcements between /system and /product, so for now
 # /product attributes are just replaced to /system attributes.
@ -143,21 +123,6 @@ expandattribute vendor_restricted_property_type false;
 attribute vendor_public_property_type;
 expandattribute vendor_public_property_type false;
 # All service_manager types created by system_server
 attribute system_server_service;
 # services which should be available to all but isolated apps
 attribute app_api_service;
 # services which should be available to all ephemeral apps
 attribute ephemeral_app_api_service;
 # services which export only system_api
 attribute system_api_service;
 # services which are explicitly disallowed for untrusted apps to access
 attribute protected_service;
 # services which served by vendor and also using the copy of libbinder on
 # system (for instance via libbinder_ndk). services using a different copy
 # of libbinder currently need their own context manager (e.g.
@ -169,32 +134,6 @@ attribute vendor_service;
 # definition in tools/checkfc.c.
 attribute service_manager_type;
 # All types used for services managed by hwservicemanager
 attribute hwservice_manager_type;
 # All HwBinder services guaranteed to be passthrough. These services always run
 # in the process of their clients, and thus operate with the same access as
 # their clients.
 attribute same_process_hwservice;
 # All HwBinder services guaranteed to be offered only by core domain components
 attribute coredomain_hwservice;
 # All HwBinder services that untrusted apps can't directly access
 attribute protected_hwservice;
 # All types used for services managed by vndservicemanager
 attribute vndservice_manager_type;
 # All domains that can override MLS restrictions.
 # i.e. processes that can read up and write down.
 attribute mlstrustedsubject;
 # All types that can override MLS restrictions.
 # i.e. files that can be read by lower and written by higher
 attribute mlstrustedobject;
 # All domains used for apps with network access.
 attribute netdomain;
@ -204,171 +143,26 @@ attribute bluetoothdomain;
 # All domains used for binder service domains.
 attribute binderservicedomain;
 # update_engine related domains that need to apply an update and run
 # postinstall. This includes the background daemon and the sideload tool from
 # recovery for A/B devices.
 attribute update_engine_common;
 # All core domains (as opposed to vendor/device-specific domains)
 attribute coredomain;
 # All vendor hwservice.
 attribute vendor_hwservice_type;
 # All socket devices owned by core domain components
 attribute coredomain_socket;
 expandattribute coredomain_socket false;
 # All vendor domains which violate the requirement of not using sockets for
 # communicating with core components
 # TODO(b/36577153): Remove this once there are no violations
 attribute socket_between_core_and_vendor_violators;
 expandattribute socket_between_core_and_vendor_violators false;
 # All vendor domains which violate the requirement of not executing
 # system processes
 # TODO(b/36463595)
 attribute vendor_executes_system_violators;
 expandattribute vendor_executes_system_violators false;
 # All domains which violate the requirement of not sharing files by path
 # between between vendor and core domains.
 # TODO(b/34980020)
 attribute data_between_core_and_vendor_violators;
 expandattribute data_between_core_and_vendor_violators false;
 # All system domains which violate the requirement of not executing vendor
 # binaries/libraries.
 # TODO(b/62041836)
 attribute system_executes_vendor_violators;
 expandattribute system_executes_vendor_violators false;
 # All system domains which violate the requirement of not writing vendor
 # properties.
 # TODO(b/78598545): Remove this once there are no violations
 attribute system_writes_vendor_properties_violators;
 expandattribute system_writes_vendor_properties_violators false;
 # All system domains which violate the requirement of not writing to
 # /mnt/vendor/*. Must not be used on devices launched with P or later.
 attribute system_writes_mnt_vendor_violators;
 expandattribute system_writes_mnt_vendor_violators false;
 # PDX services
 attribute pdx_endpoint_dir_type;
 attribute pdx_endpoint_socket_type;
 expandattribute pdx_endpoint_socket_type false;
 attribute pdx_channel_socket_type;
 expandattribute pdx_channel_socket_type false;
 pdx_service_attributes(display_client)
 pdx_service_attributes(display_manager)
 pdx_service_attributes(display_screenshot)
 pdx_service_attributes(display_vsync)
 pdx_service_attributes(performance_client)
 pdx_service_attributes(bufferhub_client)
 # All HAL servers
 attribute halserverdomain;
 # All HAL clients
 attribute halclientdomain;
 expandattribute halclientdomain true;
 # Exempt for halserverdomain to access sockets. Only builds for automotive
 # device types are allowed to use this attribute (enforced by CTS).
 # Unlike phone, in a car many modules are external from Android perspective and
 # HALs should be able to communicate with those devices through sockets.
 attribute hal_automotive_socket_exemption;
 # HALs
 hal_attribute(allocator);
 hal_attribute(atrace);
 hal_attribute(audio);
 hal_attribute(audiocontrol);
 hal_attribute(authsecret);
 hal_attribute(bluetooth);
 hal_attribute(bootctl);
 hal_attribute(bufferhub);
 hal_attribute(broadcastradio);
 hal_attribute(camera);
 hal_attribute(can_bus);
 hal_attribute(can_controller);
 hal_attribute(cas);
 hal_attribute(codec2);
 hal_attribute(configstore);
 hal_attribute(confirmationui);
 hal_attribute(contexthub);
 hal_attribute(dice);
 hal_attribute(drm);
 hal_attribute(evs);
 hal_attribute(face);
 hal_attribute(fingerprint);
 hal_attribute(gatekeeper);
 hal_attribute(gnss);
 hal_attribute(graphics_allocator);
 hal_attribute(graphics_composer);
 hal_attribute(health);
 hal_attribute(health_storage);
 hal_attribute(identity);
 hal_attribute(input_classifier);
 hal_attribute(ir);
 hal_attribute(keymaster);
 hal_attribute(keymint);
 hal_attribute(light);
 hal_attribute(lowpan);
 hal_attribute(memtrack);
 hal_attribute(neuralnetworks);
 hal_attribute(nfc);
 hal_attribute(oemlock);
 hal_attribute(omx);
 hal_attribute(power);
 hal_attribute(power_stats);
 hal_attribute(rebootescrow);
 hal_attribute(secure_element);
 hal_attribute(sensors);
 hal_attribute(telephony);
 hal_attribute(tetheroffload);
 hal_attribute(thermal);
 hal_attribute(tv_cec);
 hal_attribute(tv_input);
 hal_attribute(tv_tuner);
 hal_attribute(usb);
 hal_attribute(usb_gadget);
 hal_attribute(vehicle);
 hal_attribute(vibrator);
 hal_attribute(vr);
 hal_attribute(weaver);
 hal_attribute(wifi);
 hal_attribute(wifi_hostapd);
 hal_attribute(wifi_supplicant);
 # HwBinder services offered across the core-vendor boundary
 #
 # We annotate server domains with x_server  to loosen the coupling between
 # system and vendor images. For example, it should be possible to move a service
 # from one core domain to another, without having to update the vendor image
 # which contains clients of this service.
 attribute automotive_display_service_server;
 attribute camera_service_server;
 attribute display_service_server;
 attribute scheduler_service_server;
 attribute sensor_service_server;
 attribute stats_service_server;
 attribute system_suspend_internal_server;
 attribute system_suspend_server;
 attribute wifi_keystore_service_server;
 # All types used for super partition block devices.
 attribute super_block_device_type;
 # All types used for DMA-BUF heaps
 attribute dmabuf_heap_device_type;
 expandattribute dmabuf_heap_device_type false;
 # All types used for DSU metadata files.
 attribute gsi_metadata_file_type;
 attribute fusefs_type;
 # All types run from microdroid_manager as a payload
--- a/microdroid/system/public/device.te
+++ b/microdroid/system/public/device.te
@ -1,41 +1,41 @@
-type ashmem_device, dev_type, mlstrustedobject;
+type ashmem_device, dev_type;
-type ashmem_libcutils_device, dev_type, mlstrustedobject;
+type ashmem_libcutils_device, dev_type;
-type binder_device, dev_type, mlstrustedobject;
+type binder_device, dev_type;
 type block_device, dev_type;
 type console_device, dev_type;
 type device, dev_type, fs_type;
 type dm_device, dev_type;
 type dm_user_device, dev_type;
-type dmabuf_heap_device, dev_type, mlstrustedobject, dmabuf_heap_device_type;
+type dmabuf_heap_device, dev_type, dmabuf_heap_device_type;
-type dmabuf_system_heap_device, dev_type, mlstrustedobject, dmabuf_heap_device_type;
+type dmabuf_system_heap_device, dev_type, dmabuf_heap_device_type;
-type dmabuf_system_secure_heap_device, dev_type, mlstrustedobject, dmabuf_heap_device_type;
+type dmabuf_system_secure_heap_device, dev_type, dmabuf_heap_device_type;
-type fuse_device, dev_type, mlstrustedobject;
+type fuse_device, dev_type;
 type hw_random_device, dev_type;
-type hwbinder_device, dev_type, mlstrustedobject;
+type hwbinder_device, dev_type;
 type kmsg_debug_device, dev_type;
-type kmsg_device, dev_type, mlstrustedobject;
+type kmsg_device, dev_type;
 type kvm_device, dev_type;
 type loop_control_device, dev_type;
 type loop_device, dev_type;
-type null_device, dev_type, mlstrustedobject;
+type null_device, dev_type;
 type open_dice_device, dev_type;
-type owntty_device, dev_type, mlstrustedobject;
+type owntty_device, dev_type;
 type ppp_device, dev_type;
 type properties_device, dev_type;
 type properties_serial, dev_type;
 type property_info, dev_type;
-type ptmx_device, dev_type, mlstrustedobject;
+type ptmx_device, dev_type;
 type ram_device, dev_type;
-type random_device, dev_type, mlstrustedobject;
+type random_device, dev_type;
 type rtc_device, dev_type;
 type serial_device, dev_type;
 type socket_device, dev_type;
 type tty_device, dev_type;
-type tun_device, dev_type, mlstrustedobject;
+type tun_device, dev_type;
-type uhid_device, dev_type, mlstrustedobject;
+type uhid_device, dev_type;
 type uio_device, dev_type;
 type userdata_sysdev, dev_type;
 type vd_device, dev_type;
 type vndbinder_device, dev_type;
 type vsock_device, dev_type;
-type zero_device, dev_type, mlstrustedobject;
+type zero_device, dev_type;
--- a/microdroid/system/public/file.te
+++ b/microdroid/system/public/file.te
@ -2,7 +2,6 @@ type system_linker_exec, file_type, system_file_type;
 # file types
 type adbd_socket, file_type, coredomain_socket;
 type anr_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 type apex_info_file, file_type;
 type apex_mnt_dir, file_type;
 type authfs_data_file, file_type, data_file_type, core_data_file_type;
@ -12,20 +11,18 @@ type cgroup_rc_file, file_type;
 type extra_apk_file, file_type;
 type file_contexts_file, file_type, system_file_type;
 type linkerconfig_file, file_type;
-type logd_socket, file_type, mlstrustedobject, coredomain_socket;
+type logd_socket, file_type, coredomain_socket;
-type logdr_socket, file_type, mlstrustedobject, coredomain_socket;
+type logdr_socket, file_type, coredomain_socket;
-type logdw_socket, file_type, mlstrustedobject, coredomain_socket;
+type logdw_socket, file_type, coredomain_socket;
 type mac_perms_file, file_type, system_file_type;
 type nativetest_data_file, file_type, data_file_type, core_data_file_type;
 type property_contexts_file, file_type, system_file_type;
-type property_socket, file_type, mlstrustedobject, coredomain_socket;
+type property_socket, file_type, coredomain_socket;
 type runtime_event_log_tags_file, file_type;
 type seapp_contexts_file, file_type, system_file_type;
 type sepolicy_file, file_type, system_file_type;
 type service_contexts_file, file_type, system_file_type;
-type shell_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type, mlstrustedobject;
+type shell_data_file, file_type, data_file_type, core_data_file_type;
 type shell_test_data_file, file_type, data_file_type, core_data_file_type;
-type statsdw_socket, file_type, coredomain_socket, mlstrustedobject;
+type statsdw_socket, file_type, coredomain_socket;
 type system_bootstrap_lib_file, file_type, system_file_type;
 type system_data_file, file_type, data_file_type, core_data_file_type;
 type system_data_root_file, file_type, data_file_type, core_data_file_type;
@ -39,11 +36,11 @@ type system_seccomp_policy_file, file_type, system_file_type;
 type system_security_cacerts_file, file_type, system_file_type;
 type task_profiles_api_file, file_type, system_file_type;
 type task_profiles_file, file_type, system_file_type;
-type tombstone_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type tombstone_data_file, file_type, data_file_type, core_data_file_type;
-type tombstoned_crash_socket, file_type, mlstrustedobject, coredomain_socket;
+type tombstoned_crash_socket, file_type, coredomain_socket;
 type tombstoned_intercept_socket, file_type, coredomain_socket;
-type tombstoned_java_trace_socket, file_type, mlstrustedobject;
+type tombstoned_java_trace_socket, file_type;
-type trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type trace_data_file, file_type, data_file_type, core_data_file_type;
 type unlabeled, file_type;
 type vendor_configs_file, file_type, vendor_file_type;
 type vendor_data_file, file_type, data_file_type;
@ -55,7 +52,7 @@ type binderfs, fs_type;
 type binderfs_logs, fs_type;
 type binderfs_logs_proc, fs_type;
 type binfmt_miscfs, fs_type;
-type cgroup, fs_type, mlstrustedobject;
+type cgroup, fs_type;
 type cgroup_v2, fs_type;
 type config_gz, fs_type, proc_type;
 type configfs, fs_type;
@ -65,22 +62,22 @@ type debugfs_kcov, fs_type, debugfs_type;
 type debugfs_kprobes, fs_type, debugfs_type;
 type debugfs_mm_events_tracing, fs_type, debugfs_type, tracefs_type;
 type debugfs_mmc, fs_type, debugfs_type;
-type debugfs_trace_marker, fs_type, debugfs_type, tracefs_type, mlstrustedobject;
+type debugfs_trace_marker, fs_type, debugfs_type, tracefs_type;
-type debugfs_tracing, fs_type, debugfs_type, tracefs_type, mlstrustedobject;
+type debugfs_tracing, fs_type, debugfs_type, tracefs_type;
-type debugfs_tracing_debug, fs_type, debugfs_type, tracefs_type, mlstrustedobject;
+type debugfs_tracing_debug, fs_type, debugfs_type, tracefs_type;
 type debugfs_tracing_instances, fs_type, debugfs_type, tracefs_type;
 type debugfs_tracing_printk_formats, fs_type, debugfs_type, tracefs_type;
 type debugfs_wakeup_sources, fs_type, debugfs_type;
 type debugfs_wifi_tracing, fs_type, debugfs_type, tracefs_type;
-type devpts, fs_type, mlstrustedobject;
+type devpts, fs_type;
 type devtmpfs;
-type exfat, fs_type, sdcard_type, mlstrustedobject;
+type exfat, fs_type, sdcard_type;
 type fs_bpf, fs_type;
 type fs_bpf_tethering, fs_type;
-type functionfs, fs_type, mlstrustedobject;
+type functionfs, fs_type;
-type fuse, fs_type, fusefs_type, mlstrustedobject;
+type fuse, fs_type, fusefs_type;
 type fusectlfs, fs_type;
-type inotify, fs_type, mlstrustedobject;
+type inotify, fs_type;
 type labeledfs, fs_type;
 type mqueue, fs_type;
 type pipefs, fs_type;
@ -126,8 +123,8 @@ type proc_pipe_conf, fs_type, proc_type;
 type proc_pressure_cpu, fs_type, proc_type;
 type proc_pressure_io, fs_type, proc_type;
 type proc_pressure_mem, fs_type, proc_type;
-type proc_qtaguid_ctrl, fs_type, proc_type, mlstrustedobject;
+type proc_qtaguid_ctrl, fs_type, proc_type;
-type proc_qtaguid_stat, fs_type, proc_type, mlstrustedobject;
+type proc_qtaguid_stat, fs_type, proc_type;
 type proc_random, fs_type, proc_type;
 type proc_sched, fs_type, proc_type;
 type proc_security, fs_type, proc_type;
@ -152,14 +149,14 @@ type proc_vmstat, fs_type, proc_type;
 type proc_zoneinfo, fs_type, proc_type;
 type pstorefs, fs_type;
 type rootfs, fs_type;
-type sdcardfs, fs_type, sdcard_type, mlstrustedobject;
+type sdcardfs, fs_type, sdcard_type;
 type securityfs, fs_type;
-type selinuxfs, fs_type, mlstrustedobject;
+type selinuxfs, fs_type;
 type shm, fs_type;
 type sockfs, fs_type;
-type sysfs, fs_type, sysfs_type, mlstrustedobject;
+type sysfs, fs_type, sysfs_type;
 type sysfs_android_usb, fs_type, sysfs_type;
-type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_bluetooth_writable, fs_type, sysfs_type;
 type sysfs_devices_block, fs_type, sysfs_type;
 type sysfs_devices_cs_etm, fs_type, sysfs_type;
 type sysfs_devices_system_cpu, fs_type, sysfs_type;
@ -177,12 +174,12 @@ type sysfs_fs_incfs_metrics, fs_type, sysfs_type;
 type sysfs_hwrandom, fs_type, sysfs_type;
 type sysfs_ion, fs_type, sysfs_type;
 type sysfs_ipv4, fs_type, sysfs_type;
-type sysfs_kernel_notes, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_kernel_notes, fs_type, sysfs_type;
 type sysfs_leds, fs_type, sysfs_type;
 type sysfs_loop, fs_type, sysfs_type;
 type sysfs_lowmemorykiller, fs_type, sysfs_type;
 type sysfs_net, fs_type, sysfs_type;
-type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_nfc_power_writable, fs_type, sysfs_type;
 type sysfs_power, fs_type, sysfs_type;
 type sysfs_rtc, fs_type, sysfs_type;
 type sysfs_suspend_stats, fs_type, sysfs_type;
@ -200,4 +197,4 @@ type sysfs_zram_uevent, fs_type, sysfs_type;
 type tmpfs, fs_type;
 type usbfs, fs_type;
 type usermodehelper, fs_type, proc_type;
-type vfat, fs_type, sdcard_type, mlstrustedobject;
+type vfat, fs_type, sdcard_type;
--- a/microdroid/system/public/init.te
+++ b/microdroid/system/public/init.te
@ -1,5 +1,5 @@
 # init is its own domain.
-type init, domain, mlstrustedsubject;
+type init, domain;
 type init_exec, system_file_type, exec_type, file_type;
 type init_tmpfs, file_type;
--- a/microdroid/system/public/kernel.te
+++ b/microdroid/system/public/kernel.te
@ -1,2 +1,2 @@
 # Life begins with the kernel.
-type kernel, domain, mlstrustedsubject;
+type kernel, domain;
--- a/microdroid/system/public/runas.te
+++ b/microdroid/system/public/runas.te
@ -1,2 +0,0 @@
 type runas, domain, mlstrustedsubject, coredomain;
 type runas_exec, file_type, exec_type, system_file_type;
--- a/microdroid/system/public/shell.te
+++ b/microdroid/system/public/shell.te
@ -1,5 +1,5 @@
 # Domain for shell processes spawned by ADB or console service.
-type shell, domain, mlstrustedsubject;
+type shell, domain;
 type shell_exec, system_file_type, exec_type, file_type;
 # Create and use network sockets.
@ -77,6 +77,5 @@ allow shell proc:lnk_file getattr;
 # read selinux policy files
 allow shell file_contexts_file:file r_file_perms;
 allow shell property_contexts_file:file r_file_perms;
 allow shell seapp_contexts_file:file r_file_perms;
 allow shell service_contexts_file:file r_file_perms;
 allow shell sepolicy_file:file r_file_perms;
--- a/microdroid/system/public/statsd.te
+++ b/microdroid/system/public/statsd.te
@ -1,4 +1,4 @@
-type statsd, domain, mlstrustedsubject;
+type statsd, domain;
 type statsd_exec, system_file_type, exec_type, file_type;
 binder_use(statsd)
--- a/microdroid/system/public/su.te
+++ b/microdroid/system/public/su.te
@ -1,3 +1,6 @@
 # Domain used for su processes, as well as for adbd and adb shell
 # after performing an adb root command.
 # All types must be defined regardless of build variant to ensure
 # policy compilation succeeds with userdebug/user combination at boot
 type su, domain;
@ -6,11 +9,6 @@ type su, domain;
 type su_exec, system_file_type, exec_type, file_type;
 userdebug_or_eng(`
  # Domain used for su processes, as well as for adbd and adb shell
  # after performing an adb root command.  The domain definition is
  # wrapped to ensure that it does not exist at all on -user builds.
  typeattribute su mlstrustedsubject;
  # Add su to various domains
  net_domain(su)
--- a/microdroid/system/public/type.te
+++ b/microdroid/system/public/type.te
@ -1,11 +1,11 @@
 # Miscellaneous types
-type adb_service, system_server_service, system_api_service, service_manager_type;
+type adb_service, service_manager_type;
 type apex_service, service_manager_type;
 type authfs_binder_service, service_manager_type;
 type default_android_service, service_manager_type;
 type dice_maintenance_service,  service_manager_type;
 type dice_node_service,         service_manager_type;
-type hal_dice_service, protected_service, vendor_service, service_manager_type;
+type hal_dice_service, vendor_service, service_manager_type;
 type service_manager_service, service_manager_type;
 type system_linker;
 type vm_payload_key;
--- a/microdroid/system/public/vendor_init.te
+++ b/microdroid/system/public/vendor_init.te
@ -1,5 +1,5 @@
 # vendor_init is its own domain.
-type vendor_init, domain, mlstrustedsubject;
+type vendor_init, domain;
 # Communication to the main init process
 allow vendor_init init:unix_stream_socket { read write };
--- a/public/su.te
+++ b/public/su.te
@ -1,3 +1,6 @@
 # Domain used for su processes, as well as for adbd and adb shell
 # after performing an adb root command.
 # All types must be defined regardless of build variant to ensure
 # policy compilation succeeds with userdebug/user combination at boot
 type su, domain;
@ -6,9 +9,6 @@ type su, domain;
 type su_exec, system_file_type, exec_type, file_type;
 userdebug_or_eng(`
  # Domain used for su processes, as well as for adbd and adb shell
  # after performing an adb root command.  The domain definition is
  # wrapped to ensure that it does not exist at all on -user builds.
  typeattribute su mlstrustedsubject;
  # Add su to various domains
`@ -1,2 +1,2 @@`
	`# Life begins with the kernel.`	`# Life begins with the kernel.`
	`type kernel, domain, mlstrustedsubject;`	`type kernel, domain;`
		`@ -1,2 +0,0 @@`
			`type runas, domain, mlstrustedsubject, coredomain;`
			`type runas_exec, file_type, exec_type, system_file_type;`