sepolicy: remove ashmemd

Bug: 139855428 Test: m selinux_policy Change-Id: I8d7f66b16be025f7cb9c5269fae6fd7540c2fdc9
2019-09-25 11:20:01 -07:00 · 2019-09-25 11:20:01 -07:00 · bfcddbe25e
commit bfcddbe25e
parent e612ecd6ed
22 changed files with 4 additions and 60 deletions
--- a/private/app_zygote.te
+++ b/private/app_zygote.te
@ -103,7 +103,6 @@ neverallow app_zygote {
 neverallow app_zygote {
    service_manager_type
    -activity_service
-    -ashmem_device_service
    -webviewupdate_service
 }:service_manager find;

--- a/private/ashmemd.te
+++ b/private/ashmemd.te
@ -1,9 +0,0 @@
-typeattribute ashmemd coredomain;
-type ashmemd_exec, exec_type, file_type, system_file_type;
-
-init_daemon_domain(ashmemd)
-
-binder_use(ashmemd)
-add_service(ashmemd, ashmem_device_service)
-
-allow ashmemd ashmem_device:chr_file rw_file_perms;
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@ -125,7 +125,6 @@
    su_tmpfs
    super_block_device
    sysfs_fs_f2fs
-    system_ashmem_hwservice
    system_bootstrap_lib_file
    system_event_log_tags_file
    system_lmk_prop
--- a/private/compat/29.0/29.0.cil
+++ b/private/compat/29.0/29.0.cil
@ -1,4 +1,5 @@
 ;; types removed from current policy
+(type ashmemd)
 (type hal_wifi_offload_hwservice)
 (type mediacodec_service)
 (type perfprofd_data_file)
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@ -19,7 +19,6 @@
    linker_prop
    ota_metadata_file
    art_apex_dir
-    system_ashmem_hwservice
    system_group_file
    system_passwd_file
    vendor_apex_file
--- a/private/coredomain.te
+++ b/private/coredomain.te
@ -187,16 +187,3 @@ neverallow coredomain {
 full_treble_only(`
  neverallow coredomain tee_device:chr_file { open read append write ioctl };
 ')
-
-# Allow access to ashmemd to request /dev/ashmem fds.
-allow {
-  coredomain
-  -init
-  -iorapd
-} ashmem_device_service:service_manager find;
-
-binder_call({
-  coredomain
-  -init
-  -iorapd
-}, ashmemd)
--- a/private/file_contexts
+++ b/private/file_contexts
@ -186,7 +186,6 @@
 /system/lib(64)?(/.*)?		u:object_r:system_lib_file:s0
 /system/lib(64)?/bootstrap(/.*)? u:object_r:system_bootstrap_lib_file:s0
 /system/bin/atrace	u:object_r:atrace_exec:s0
-/system/bin/ashmemd	u:object_r:ashmemd_exec:s0
 /system/bin/auditctl	u:object_r:auditctl_exec:s0
 /system/bin/bcc                 u:object_r:rs_exec:s0
 /system/bin/blank_screen	u:object_r:blank_screen_exec:s0
--- a/private/hal_allocator_default.te
+++ b/private/hal_allocator_default.te
@ -3,6 +3,3 @@ hal_server_domain(hal_allocator_default, hal_allocator)

 type hal_allocator_default_exec, system_file_type, exec_type, file_type;
 init_daemon_domain(hal_allocator_default)
-
-# To talk to ashmemd
-binder_use(hal_allocator_default)
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@ -79,7 +79,6 @@ android.hidl.base::IBase                                        u:object_r:hidl_
 android.hidl.manager::IServiceManager                           u:object_r:hidl_manager_hwservice:s0
 android.hidl.memory::IMapper                                    u:object_r:hidl_memory_hwservice:s0
 android.hidl.token::ITokenManager                               u:object_r:hidl_token_hwservice:s0
-android.system.ashmem::IAshmem                                  u:object_r:system_ashmem_hwservice:s0
 android.system.net.netd::INetd                                  u:object_r:system_net_netd_hwservice:s0
 android.system.suspend::ISystemSuspend                          u:object_r:system_suspend_hwservice:s0
 android.system.wifi.keystore::IKeystore                         u:object_r:system_wifi_keystore_hwservice:s0
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@ -92,12 +92,10 @@ neverallow isolated_app *:service_manager ~find;

 # b/17487348
 # Isolated apps can only access three services,
-# activity_service, display_service, webviewupdate_service, and
-# ashmem_device_service.
+# activity_service, display_service, webviewupdate_service.
 neverallow isolated_app {
    service_manager_type
    -activity_service
-    -ashmem_device_service
    -display_service
    -webviewupdate_service
 }:service_manager find;
--- a/private/service.te
+++ b/private/service.te
@ -1,4 +1,3 @@
-type ashmem_device_service,         app_api_service, service_manager_type;
 type attention_service,             system_server_service, service_manager_type;
 type dynamic_system_service,        system_api_service, system_server_service, service_manager_type;
 type gsi_service,                   service_manager_type;
--- a/private/service_contexts
+++ b/private/service_contexts
@ -10,7 +10,6 @@ android.service.gatekeeper.IGateKeeperService    u:object_r:gatekeeper_service:s
 app_binding                               u:object_r:app_binding_service:s0
 app_prediction                            u:object_r:app_prediction_service:s0
 apexservice                               u:object_r:apex_service:s0
-ashmem_device_service                     u:object_r:ashmem_device_service:s0
 gsiservice                                u:object_r:gsi_service:s0
 appops                                    u:object_r:appops_service:s0
 appwidget                                 u:object_r:appwidget_service:s0
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@ -177,6 +177,5 @@ userdebug_or_eng(`
  allowxperm untrusted_app_all debugfs_kcov:file ioctl { KCOV_INIT_TRACE KCOV_ENABLE KCOV_DISABLE };
 ')

-# Allow access to ashmemd to request /dev/ashmem fds.
-binder_call(untrusted_app_all, ashmemd)
+# Allow (rw_file_perms - open) access to /dev/ashmem.
 allow untrusted_app_all ashmem_device:chr_file { getattr read ioctl lock map append write };
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@ -113,7 +113,6 @@ neverallow webview_zygote {
 neverallow webview_zygote {
    service_manager_type
    -activity_service
-    -ashmem_device_service
    -webviewupdate_service
 }:service_manager find;

--- a/public/app.te
+++ b/public/app.te
@ -357,9 +357,6 @@ allow appdomain audioserver_tmpfs:file { getattr map read write };
 allow appdomain system_server_tmpfs:file { getattr map read write };
 allow appdomain zygote_tmpfs:file { map read };

-# Allow vendor apps access to ashmem_server to request /dev/ashmem fds.
-binder_call({ appdomain -coredomain }, ashmem_server)
-
 ###
 ### Neverallow rules
 ###
--- a/public/ashmem_server.te
+++ b/public/ashmem_server.te
@ -1,3 +0,0 @@
-hwbinder_use(ashmem_server)
-get_prop(ashmem_server, hwservicemanager_prop)
-add_hwservice(ashmem_server, system_ashmem_hwservice)
--- a/public/ashmemd.te
+++ b/public/ashmemd.te
@ -1,3 +0,0 @@
-# TODO(b/133869224): Make private once ashmemd
-# is cleaned up from vendor sepolicy.
-type ashmemd, domain, ashmem_server;
--- a/public/attributes
+++ b/public/attributes
@ -351,7 +351,6 @@ hal_attribute(wifi_supplicant);
 # from one core domain to another, without having to update the vendor image
 # which contains clients of this service.

-attribute ashmem_server;
 attribute camera_service_server;
 attribute display_service_server;
 attribute scheduler_service_server;
--- a/public/domain.te
+++ b/public/domain.te
@ -72,7 +72,7 @@ allow domain null_device:chr_file rw_file_perms;
 allow domain zero_device:chr_file rw_file_perms;
 allow {
  domain
-  # TODO(b/113362644): route coredomain to ashmemd
+  # TODO(b/113362644): route coredomain to libcutils.
  #-coredomain
  -mediaprovider
  -ephemeral_app
@ -83,14 +83,6 @@ allow {
 # This device is used by libcutils.
 allow domain ashmem_libcutils_device:chr_file rw_file_perms;

-# Allow using fds to /dev/ashmem.
-allow domain ashmem_server:fd use;
-
-# Allow vendor hals to access IAshmem
-# TODO(b/134783601): Change to a whitelist.
-allow { domain -coredomain -appdomain } system_ashmem_hwservice:hwservice_manager find;
-allow { domain -coredomain -appdomain } ashmem_server: binder call;
-
 # /dev/binder can be accessed by ... everyone! :)
 allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;

--- a/public/hwservice.te
+++ b/public/hwservice.te
@ -56,7 +56,6 @@ type hal_wifi_hostapd_hwservice, hwservice_manager_type, protected_hwservice;
 type hal_wifi_hwservice, hwservice_manager_type, protected_hwservice;
 type hal_wifi_offload_hwservice, hwservice_manager_type, protected_hwservice;
 type hal_wifi_supplicant_hwservice, hwservice_manager_type, protected_hwservice;
-type system_ashmem_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
 type system_net_netd_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
 type system_suspend_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
 type system_wifi_keystore_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
--- a/public/installd.te
+++ b/public/installd.te
@ -171,7 +171,6 @@ neverallow { domain -system_server -dumpstate -installd } installd_service:servi
 neverallow { domain -system_server -dumpstate } installd:binder call;
 neverallow installd {
    domain
-    -ashmem_server
    -system_server
    -servicemanager
    userdebug_or_eng(`-su')
--- a/public/vold.te
+++ b/public/vold.te
@ -305,7 +305,6 @@ neverallow {

 neverallow vold {
  domain
-  -ashmem_server
  -hal_health_storage_server
  -hal_keymaster_server
  -system_suspend_server