From c0cac4114c5f0b1b326f8630fab2f26bdb745c22 Mon Sep 17 00:00:00 2001 From: Nikita Ioffe Date: Fri, 17 Sep 2021 17:52:48 +0100 Subject: [PATCH] Cleanup sepolicy related to APEX pre/post-install hooks The pre/post-install hook functionality has been deprecated and removed. Bug: 172606645 Test: atest ApexTestCases Test: atest CtsStagedInstallHostTestCases Change-Id: I8a5f726a0c8f005654d0430b5a4598e416ff9c28 --- apex/apex.test-file_contexts | 2 -- private/apexd.te | 21 --------------------- 2 files changed, 23 deletions(-) diff --git a/apex/apex.test-file_contexts b/apex/apex.test-file_contexts index a14e14b00..0623d9a77 100644 --- a/apex/apex.test-file_contexts +++ b/apex/apex.test-file_contexts @@ -1,4 +1,2 @@ -/bin/apex_test_preInstallHook u:object_r:apex_test_prepostinstall_exec:s0 -/bin/apex_test_postInstallHook u:object_r:apex_test_prepostinstall_exec:s0 (/.*)? u:object_r:system_file:s0 /bin/surfaceflinger u:object_r:surfaceflinger_exec:s0 diff --git a/private/apexd.te b/private/apexd.te index 32132411e..fae3e412a 100644 --- a/private/apexd.te +++ b/private/apexd.te @@ -123,31 +123,10 @@ set_prop(apexd, ctl_apexd_prop) allow apexd vold_service:service_manager find; binder_call(apexd, vold) -# Apex pre- & post-install permission. - -# Allow self-execute for the fork mount helper. -allow apexd apexd_exec:file execute_no_trans; - -# Unshare and make / private so that hooks cannot influence the -# running system. -allow apexd rootfs:dir mounton; - -# Allow to execute shell for pre- and postinstall scripts. A transition -# rule is required, thus restricted to execute and not execute_no_trans. -allow apexd shell_exec:file { r_file_perms execute }; - # apexd is using bootstrap bionic allow apexd system_bootstrap_lib_file:dir r_dir_perms; allow apexd system_bootstrap_lib_file:file { execute read open getattr map }; -# Allow transition to test APEX preinstall domain. -userdebug_or_eng(` - domain_auto_trans(apexd, apex_test_prepostinstall_exec, apex_test_prepostinstall) -') - -# Allow transition to GKI update pre/post install domain -domain_auto_trans(apexd, gki_apex_prepostinstall_exec, gki_apex_prepostinstall) - # Allow apexd to be invoked with logwrapper from init during userspace reboot. allow apexd devpts:chr_file { read write };