From abf12e1e9ba6368c9fbf8cd744afdcadef18bb65 Mon Sep 17 00:00:00 2001 From: Jared Duke Date: Thu, 19 Oct 2023 22:02:35 +0000 Subject: [PATCH] Remove sepolicy for viewcompiler This tool has been removed, so remove the associated sepolicy config. Bug: 158121974 Test: m Change-Id: I7fe3a731fe5680d192bae640b6fc3ccdacbc60d3 --- private/domain.te | 1 - private/file_contexts | 1 - private/installd.te | 3 --- private/viewcompiler.te | 25 ------------------------- 4 files changed, 30 deletions(-) delete mode 100644 private/viewcompiler.te diff --git a/private/domain.te b/private/domain.te index b5525d52f..bac2a7e28 100644 --- a/private/domain.te +++ b/private/domain.te @@ -1609,7 +1609,6 @@ neverallow { -rs # spawned by appdomain, so carryover the exception above -runas -system_server - -viewcompiler -zygote } { privapp_data_file app_data_file }:dir *; diff --git a/private/file_contexts b/private/file_contexts index 2b1de69c2..567f30d51 100644 --- a/private/file_contexts +++ b/private/file_contexts @@ -348,7 +348,6 @@ /system/bin/cppreopts\.sh u:object_r:cppreopts_exec:s0 /system/bin/preloads_copy\.sh u:object_r:preloads_copy_exec:s0 /system/bin/preopt2cachename u:object_r:preopt2cachename_exec:s0 -/system/bin/viewcompiler u:object_r:viewcompiler_exec:s0 /system/bin/sgdisk u:object_r:sgdisk_exec:s0 /system/bin/blkid u:object_r:blkid_exec:s0 /system/bin/flags_health_check -- u:object_r:flags_health_check_exec:s0 diff --git a/private/installd.te b/private/installd.te index feb47f745..0a5028576 100644 --- a/private/installd.te +++ b/private/installd.te @@ -12,9 +12,6 @@ domain_auto_trans(installd, dex2oat_exec, dex2oat) # Run dexoptanalyzer in its own sandbox. domain_auto_trans(installd, dexoptanalyzer_exec, dexoptanalyzer) -# Run viewcompiler in its own sandbox. -domain_auto_trans(installd, viewcompiler_exec, viewcompiler) - # Run profman in its own sandbox. domain_auto_trans(installd, profman_exec, profman) diff --git a/private/viewcompiler.te b/private/viewcompiler.te deleted file mode 100644 index d1f096441..000000000 --- a/private/viewcompiler.te +++ /dev/null @@ -1,25 +0,0 @@ -# viewcompiler -type viewcompiler, domain, coredomain, mlstrustedsubject; -type viewcompiler_exec, system_file_type, exec_type, file_type; -type viewcompiler_tmpfs, file_type; - -# Reading an APK opens a ZipArchive, which unpack to tmpfs. -# Use tmpfs_domain() which will give tmpfs files created by viewcompiler their -# own label, which differs from other labels created by other processes. -# This allows to distinguish in policy files created by viewcompiler vs other -# processes. -tmpfs_domain(viewcompiler) - -allow viewcompiler installd:fd use; - -# Include write permission for app data files so viewcompiler can generate -# compiled layout dex files -allow viewcompiler app_data_file:file { getattr write }; - -# Allow the view compiler to read resources from the apps APK. -allow viewcompiler apk_data_file:file { read map }; - -# priv-apps are moving to a world where they can only execute -# signed code. Make sure viewcompiler never can write to privapp -# directories to avoid introducing unsigned executable code -neverallow viewcompiler privapp_data_file:file no_w_file_perms;