Cleanup sepolicy related to APEX pre/post-install hooks

The pre/post-install hook functionality has been deprecated and removed.

Bug: 172606645
Test: atest ApexTestCases
Test: atest CtsStagedInstallHostTestCases
Change-Id: I8a5f726a0c8f005654d0430b5a4598e416ff9c28
This commit is contained in:
Nikita Ioffe 2021-09-17 17:52:48 +01:00
parent ad48d3e9f1
commit c0cac4114c
2 changed files with 0 additions and 23 deletions

View file

@ -1,4 +1,2 @@
/bin/apex_test_preInstallHook u:object_r:apex_test_prepostinstall_exec:s0
/bin/apex_test_postInstallHook u:object_r:apex_test_prepostinstall_exec:s0
(/.*)? u:object_r:system_file:s0
/bin/surfaceflinger u:object_r:surfaceflinger_exec:s0

View file

@ -123,31 +123,10 @@ set_prop(apexd, ctl_apexd_prop)
allow apexd vold_service:service_manager find;
binder_call(apexd, vold)
# Apex pre- & post-install permission.
# Allow self-execute for the fork mount helper.
allow apexd apexd_exec:file execute_no_trans;
# Unshare and make / private so that hooks cannot influence the
# running system.
allow apexd rootfs:dir mounton;
# Allow to execute shell for pre- and postinstall scripts. A transition
# rule is required, thus restricted to execute and not execute_no_trans.
allow apexd shell_exec:file { r_file_perms execute };
# apexd is using bootstrap bionic
allow apexd system_bootstrap_lib_file:dir r_dir_perms;
allow apexd system_bootstrap_lib_file:file { execute read open getattr map };
# Allow transition to test APEX preinstall domain.
userdebug_or_eng(`
domain_auto_trans(apexd, apex_test_prepostinstall_exec, apex_test_prepostinstall)
')
# Allow transition to GKI update pre/post install domain
domain_auto_trans(apexd, gki_apex_prepostinstall_exec, gki_apex_prepostinstall)
# Allow apexd to be invoked with logwrapper from init during userspace reboot.
allow apexd devpts:chr_file { read write };