Remove redundant vendor sepolicy files No matter how microdroid system's sepolicy is built, microdroid vendor's sepolicy will exist under packages/modules/Virtualization/microdroid, and we need to trim vendor sepolicy first, to investigate further. This commit removes almost all of vendor sepolicy files. Only the keymint HAL and file_contexts stay. Bug: 191131624 Test: atest MicordroidHostTestCases Change-Id: Ib67507c1893d7768d2214c2bfbf2eaf299fb21f2

commit: c3adddb70c592220ea49d94201c933f62707ae27 [log] [tgz]
author: Inseob Kim <inseob@google.com> Fri Jun 18 21:29:15 2021 +0900
committer: Inseob Kim <inseob@google.com> Fri Jun 18 21:29:15 2021 +0900
tree: e7d4e93afe035a0fe3710fe0b44845ed766bc12a
parent: dd240f63ab54c5f77c52f6feb42fd71920b95df7 [diff]
diff --git a/microdroid/sepolicy/vendor/file.te b/microdroid/sepolicy/vendor/file.te
deleted file mode 100644
index 0b1fd74..0000000
--- a/microdroid/sepolicy/vendor/file.te
+++ /dev/null

@@ -1,2 +0,0 @@
-type hostapd_data_file, file_type, data_file_type;
-type wpa_data_file, file_type, data_file_type;

diff --git a/microdroid/sepolicy/vendor/hal_atrace_default.te b/microdroid/sepolicy/vendor/hal_atrace_default.te
deleted file mode 100644
index 55c9730..0000000
--- a/microdroid/sepolicy/vendor/hal_atrace_default.te
+++ /dev/null

@@ -1,14 +0,0 @@
-type hal_atrace_default, domain;
-hal_server_domain(hal_atrace_default, hal_atrace)
-
-type hal_atrace_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_atrace_default)
-
-# Allow atrace HAL to access tracefs.
-allow hal_atrace_default debugfs_tracing:dir r_dir_perms;
-allow hal_atrace_default debugfs_tracing:file rw_file_perms;
-
-userdebug_or_eng(`
-  allow hal_atrace_default debugfs_tracing_debug:dir r_dir_perms;
-  allow hal_atrace_default debugfs_tracing_debug:file rw_file_perms;
-')

diff --git a/microdroid/sepolicy/vendor/hal_audio_default.te b/microdroid/sepolicy/vendor/hal_audio_default.te
deleted file mode 100644
index 82cbf8e..0000000
--- a/microdroid/sepolicy/vendor/hal_audio_default.te
+++ /dev/null

@@ -1,10 +0,0 @@
-type hal_audio_default, domain;
-hal_server_domain(hal_audio_default, hal_audio)
-
-type hal_audio_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_audio_default)
-
-hal_client_domain(hal_audio_default, hal_allocator)
-
-# allow audioserver to call hal_audio dump with its own fd to retrieve status
-allow hal_audio_default audioserver:fifo_file write;

diff --git a/microdroid/sepolicy/vendor/hal_audiocontrol_default.te b/microdroid/sepolicy/vendor/hal_audiocontrol_default.te
deleted file mode 100644
index d1940c9..0000000
--- a/microdroid/sepolicy/vendor/hal_audiocontrol_default.te
+++ /dev/null

@@ -1,7 +0,0 @@
-# audiocontrol subsystem
-type hal_audiocontrol_default, domain;
-hal_server_domain(hal_audiocontrol_default, hal_audiocontrol)
-
-# may be started by init
-type hal_audiocontrol_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_audiocontrol_default)

diff --git a/microdroid/sepolicy/vendor/hal_authsecret_default.te b/microdroid/sepolicy/vendor/hal_authsecret_default.te
deleted file mode 100644
index 46f5291..0000000
--- a/microdroid/sepolicy/vendor/hal_authsecret_default.te
+++ /dev/null

@@ -1,5 +0,0 @@
-type hal_authsecret_default, domain;
-hal_server_domain(hal_authsecret_default, hal_authsecret)
-
-type hal_authsecret_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_authsecret_default)

diff --git a/microdroid/sepolicy/vendor/hal_bluetooth_btlinux.te b/microdroid/sepolicy/vendor/hal_bluetooth_btlinux.te
deleted file mode 100644
index 22d9cf0..0000000
--- a/microdroid/sepolicy/vendor/hal_bluetooth_btlinux.te
+++ /dev/null

@@ -1,8 +0,0 @@
-type hal_bluetooth_btlinux, domain;
-type hal_bluetooth_btlinux_exec, exec_type, file_type, vendor_file_type;
-
-hal_server_domain(hal_bluetooth_btlinux, hal_bluetooth)
-init_daemon_domain(hal_bluetooth_btlinux)
-
-allow hal_bluetooth_btlinux self:socket { create bind read write };
-allow hal_bluetooth_btlinux self:bluetooth_socket { create bind read write };

diff --git a/microdroid/sepolicy/vendor/hal_bluetooth_default.te b/microdroid/sepolicy/vendor/hal_bluetooth_default.te
deleted file mode 100644
index 01d60db..0000000
--- a/microdroid/sepolicy/vendor/hal_bluetooth_default.te
+++ /dev/null

@@ -1,5 +0,0 @@
-type hal_bluetooth_default, domain;
-hal_server_domain(hal_bluetooth_default, hal_bluetooth)
-
-type hal_bluetooth_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_bluetooth_default)

diff --git a/microdroid/sepolicy/vendor/hal_bootctl_default.te b/microdroid/sepolicy/vendor/hal_bootctl_default.te
deleted file mode 100644
index 2b94313..0000000
--- a/microdroid/sepolicy/vendor/hal_bootctl_default.te
+++ /dev/null

@@ -1,16 +0,0 @@
-# Boot control subsystem
-type hal_bootctl_default, domain;
-hal_server_domain(hal_bootctl_default, hal_bootctl)
-
-type hal_bootctl_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_bootctl_default)
-
-# Needed for ReadDefaultFstab.
-allow hal_bootctl_default proc_cmdline:file r_file_perms;
-allow hal_bootctl_default sysfs_dt_firmware_android:dir search;
-allow hal_bootctl_default sysfs_dt_firmware_android:file r_file_perms;
-read_fstab(hal_bootctl_default)
-
-# Needed for reading/writing misc partition.
-allow hal_bootctl_default block_device:dir search;
-allow hal_bootctl_default misc_block_device:blk_file rw_file_perms;

diff --git a/microdroid/sepolicy/vendor/hal_broadcastradio_default.te b/microdroid/sepolicy/vendor/hal_broadcastradio_default.te
deleted file mode 100644
index 37f65f4..0000000
--- a/microdroid/sepolicy/vendor/hal_broadcastradio_default.te
+++ /dev/null

@@ -1,5 +0,0 @@
-type hal_broadcastradio_default, domain;
-hal_server_domain(hal_broadcastradio_default, hal_broadcastradio)
-
-type hal_broadcastradio_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_broadcastradio_default)

diff --git a/microdroid/sepolicy/vendor/hal_camera_default.te b/microdroid/sepolicy/vendor/hal_camera_default.te
deleted file mode 100644
index 5bc4a61..0000000
--- a/microdroid/sepolicy/vendor/hal_camera_default.te
+++ /dev/null

@@ -1,11 +0,0 @@
-type hal_camera_default, domain;
-hal_server_domain(hal_camera_default, hal_camera)
-
-type hal_camera_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_camera_default)
-
-allow hal_camera_default fwk_sensor_hwservice:hwservice_manager find;
-
-# For collecting bugreports.
-allow hal_camera_default dumpstate:fd use;
-allow hal_camera_default dumpstate:fifo_file write;

diff --git a/microdroid/sepolicy/vendor/hal_can_socketcan.te b/microdroid/sepolicy/vendor/hal_can_socketcan.te
deleted file mode 100644
index 7498788..0000000
--- a/microdroid/sepolicy/vendor/hal_can_socketcan.te
+++ /dev/null

@@ -1,38 +0,0 @@
-type hal_can_socketcan, domain;
-hal_server_domain(hal_can_socketcan, hal_can_controller)
-hal_server_domain(hal_can_socketcan, hal_can_bus)
-
-type hal_can_socketcan_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_can_socketcan)
-
-# Managing SocketCAN interfaces
-allow hal_can_socketcan self:capability net_admin;
-allow hal_can_socketcan self:netlink_route_socket { create bind write nlmsg_write read };
-
-# Calling if_nametoindex(3) to open CAN sockets
-allow hal_can_socketcan self:udp_socket { create ioctl };
-allowxperm hal_can_socketcan self:udp_socket ioctl {
-    SIOCGIFINDEX
-};
-
-# Communicating with SocketCAN interfaces and bringing them up/down
-allow hal_can_socketcan self:can_socket { bind create read write ioctl setopt };
-allowxperm hal_can_socketcan self:can_socket ioctl {
-    SIOCGIFFLAGS
-    SIOCSIFFLAGS
-};
-
-# Un-publishing ICanBus interfaces
-allow hal_can_socketcan hidl_manager_hwservice:hwservice_manager find;
-
-allow hal_can_socketcan sysfs:dir r_dir_perms;
-
-allow hal_can_socketcan usb_serial_device:chr_file { ioctl read write open };
-allowxperm hal_can_socketcan usb_serial_device:chr_file ioctl {
-    TCGETS
-    TCSETSW
-    TIOCGSERIAL
-    TIOCSSERIAL
-    TIOCSETD
-    SIOCGIFNAME
-};

diff --git a/microdroid/sepolicy/vendor/hal_cas_default.te b/microdroid/sepolicy/vendor/hal_cas_default.te
deleted file mode 100644
index cc1a2c8..0000000
--- a/microdroid/sepolicy/vendor/hal_cas_default.te
+++ /dev/null

@@ -1,10 +0,0 @@
-type hal_cas_default, domain;
-hal_server_domain(hal_cas_default, hal_cas)
-
-type hal_cas_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_cas_default)
-
-# Allow CAS HAL's default implementation to use vendor-binder service
-vndbinder_use(hal_cas_default);
-
-allow hal_cas_default hal_allocator:fd use;

diff --git a/microdroid/sepolicy/vendor/hal_configstore_default.te b/microdroid/sepolicy/vendor/hal_configstore_default.te
deleted file mode 100644
index cc61a16..0000000
--- a/microdroid/sepolicy/vendor/hal_configstore_default.te
+++ /dev/null

@@ -1,5 +0,0 @@
-type hal_configstore_default, domain;
-hal_server_domain(hal_configstore_default, hal_configstore)
-
-type hal_configstore_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_configstore_default)

diff --git a/microdroid/sepolicy/vendor/hal_confirmationui_default.te b/microdroid/sepolicy/vendor/hal_confirmationui_default.te
deleted file mode 100644
index 832c687..0000000
--- a/microdroid/sepolicy/vendor/hal_confirmationui_default.te
+++ /dev/null

@@ -1,5 +0,0 @@
-type hal_confirmationui_default, domain;
-hal_server_domain(hal_confirmationui_default, hal_confirmationui)
-
-type hal_confirmationui_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_confirmationui_default)

diff --git a/microdroid/sepolicy/vendor/hal_contexthub_default.te b/microdroid/sepolicy/vendor/hal_contexthub_default.te
deleted file mode 100644
index b29808d..0000000
--- a/microdroid/sepolicy/vendor/hal_contexthub_default.te
+++ /dev/null

@@ -1,5 +0,0 @@
-type hal_contexthub_default, domain;
-hal_server_domain(hal_contexthub_default, hal_contexthub)
-
-type hal_contexthub_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_contexthub_default)

diff --git a/microdroid/sepolicy/vendor/hal_drm_default.te b/microdroid/sepolicy/vendor/hal_drm_default.te
deleted file mode 100644
index e534762..0000000
--- a/microdroid/sepolicy/vendor/hal_drm_default.te
+++ /dev/null

@@ -1,8 +0,0 @@
-type hal_drm_default, domain;
-hal_server_domain(hal_drm_default, hal_drm)
-
-type hal_drm_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_drm_default)
-
-allow hal_drm_default hal_codec2_server:fd use;
-allow hal_drm_default hal_omx_server:fd use;

diff --git a/microdroid/sepolicy/vendor/hal_dumpstate_default.te b/microdroid/sepolicy/vendor/hal_dumpstate_default.te
deleted file mode 100644
index 6fbf40f..0000000
--- a/microdroid/sepolicy/vendor/hal_dumpstate_default.te
+++ /dev/null

@@ -1,5 +0,0 @@
-type hal_dumpstate_default, domain;
-hal_server_domain(hal_dumpstate_default, hal_dumpstate)
-
-type hal_dumpstate_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_dumpstate_default)

diff --git a/microdroid/sepolicy/vendor/hal_evs_default.te b/microdroid/sepolicy/vendor/hal_evs_default.te
deleted file mode 100644
index 57a0299..0000000
--- a/microdroid/sepolicy/vendor/hal_evs_default.te
+++ /dev/null

@@ -1,15 +0,0 @@
-# evs_mock mock hardware driver service
-type hal_evs_default, domain;
-hal_server_domain(hal_evs_default, hal_evs)
-
-# allow init to launch processes in this context
-type hal_evs_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_evs_default)
-
-allow hal_evs_default hal_graphics_allocator_server:fd use;
-
-# allow to use surface flinger
-allow hal_evs_default automotive_display_service_server:fd use;
-
-# allow to use automotive display service
-allow hal_evs_default fwk_automotive_display_hwservice:hwservice_manager find;

diff --git a/microdroid/sepolicy/vendor/hal_face_default.te b/microdroid/sepolicy/vendor/hal_face_default.te
deleted file mode 100644
index 891d1f4..0000000
--- a/microdroid/sepolicy/vendor/hal_face_default.te
+++ /dev/null

@@ -1,5 +0,0 @@
-type hal_face_default, domain;
-hal_server_domain(hal_face_default, hal_face)
-
-type hal_face_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_face_default)

diff --git a/microdroid/sepolicy/vendor/hal_fingerprint_default.te b/microdroid/sepolicy/vendor/hal_fingerprint_default.te
deleted file mode 100644
index 638b603..0000000
--- a/microdroid/sepolicy/vendor/hal_fingerprint_default.te
+++ /dev/null

@@ -1,5 +0,0 @@
-type hal_fingerprint_default, domain;
-hal_server_domain(hal_fingerprint_default, hal_fingerprint)
-
-type hal_fingerprint_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_fingerprint_default)

diff --git a/microdroid/sepolicy/vendor/hal_gatekeeper_default.te b/microdroid/sepolicy/vendor/hal_gatekeeper_default.te
deleted file mode 100644
index a3654cc..0000000
--- a/microdroid/sepolicy/vendor/hal_gatekeeper_default.te
+++ /dev/null

@@ -1,5 +0,0 @@
-type hal_gatekeeper_default, domain;
-hal_server_domain(hal_gatekeeper_default, hal_gatekeeper)
-
-type hal_gatekeeper_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_gatekeeper_default);

diff --git a/microdroid/sepolicy/vendor/hal_gnss_default.te b/microdroid/sepolicy/vendor/hal_gnss_default.te
deleted file mode 100644
index cea362f..0000000
--- a/microdroid/sepolicy/vendor/hal_gnss_default.te
+++ /dev/null

@@ -1,7 +0,0 @@
-type hal_gnss_default, domain;
-hal_server_domain(hal_gnss_default, hal_gnss)
-
-type hal_gnss_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_gnss_default)
-
-allow hal_gnss_default gnss_device:chr_file rw_file_perms;

diff --git a/microdroid/sepolicy/vendor/hal_graphics_allocator_default.te b/microdroid/sepolicy/vendor/hal_graphics_allocator_default.te
deleted file mode 100644
index a129ad4..0000000
--- a/microdroid/sepolicy/vendor/hal_graphics_allocator_default.te
+++ /dev/null

@@ -1,10 +0,0 @@
-type hal_graphics_allocator_default, domain;
-type hal_graphics_allocator_default_tmpfs, file_type;
-hal_server_domain(hal_graphics_allocator_default, hal_graphics_allocator)
-
-type hal_graphics_allocator_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_graphics_allocator_default)
-tmpfs_domain(hal_graphics_allocator_default)
-
-# b/70180742
-dontaudit hal_graphics_allocator_default unlabeled:dir search;

diff --git a/microdroid/sepolicy/vendor/hal_graphics_composer_default.te b/microdroid/sepolicy/vendor/hal_graphics_composer_default.te
deleted file mode 100644
index 7dcd2b2..0000000
--- a/microdroid/sepolicy/vendor/hal_graphics_composer_default.te
+++ /dev/null

@@ -1,10 +0,0 @@
-type hal_graphics_composer_default, domain;
-hal_server_domain(hal_graphics_composer_default, hal_graphics_composer)
-
-type hal_graphics_composer_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_graphics_composer_default)
-type_transition hal_graphics_composer_default tmpfs:file hal_graphics_composer_server_tmpfs;
-allow hal_graphics_composer_default hal_graphics_composer_server_tmpfs:file { getattr map read write };
-
-# b/68864350
-dontaudit hal_graphics_composer_default unlabeled:dir search;

diff --git a/microdroid/sepolicy/vendor/hal_health_default.te b/microdroid/sepolicy/vendor/hal_health_default.te
deleted file mode 100644
index 9b2b921..0000000
--- a/microdroid/sepolicy/vendor/hal_health_default.te
+++ /dev/null

@@ -1,6 +0,0 @@
-# health info abstraction
-type hal_health_default, domain;
-hal_server_domain(hal_health_default, hal_health)
-
-type hal_health_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_health_default)

diff --git a/microdroid/sepolicy/vendor/hal_health_storage_default.te b/microdroid/sepolicy/vendor/hal_health_storage_default.te
deleted file mode 100644
index 37b3e24..0000000
--- a/microdroid/sepolicy/vendor/hal_health_storage_default.te
+++ /dev/null

@@ -1,6 +0,0 @@
-type hal_health_storage_default, domain;
-hal_server_domain(hal_health_storage_default, hal_health_storage)
-
-type hal_health_storage_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_health_storage_default)
-

diff --git a/microdroid/sepolicy/vendor/hal_identity_default.te b/microdroid/sepolicy/vendor/hal_identity_default.te
deleted file mode 100644
index 7f84687..0000000
--- a/microdroid/sepolicy/vendor/hal_identity_default.te
+++ /dev/null

@@ -1,5 +0,0 @@
-type hal_identity_default, domain;
-hal_server_domain(hal_identity_default, hal_identity)
-
-type hal_identity_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_identity_default)

diff --git a/microdroid/sepolicy/vendor/hal_input_classifier_default.te b/microdroid/sepolicy/vendor/hal_input_classifier_default.te
deleted file mode 100644
index 915cc78..0000000
--- a/microdroid/sepolicy/vendor/hal_input_classifier_default.te
+++ /dev/null

@@ -1,5 +0,0 @@
-type hal_input_classifier_default, domain;
-hal_server_domain(hal_input_classifier_default, hal_input_classifier)
-
-type hal_input_classifier_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_input_classifier_default)

diff --git a/microdroid/sepolicy/vendor/hal_ir_default.te b/microdroid/sepolicy/vendor/hal_ir_default.te
deleted file mode 100644
index 943aab0..0000000
--- a/microdroid/sepolicy/vendor/hal_ir_default.te
+++ /dev/null

@@ -1,5 +0,0 @@
-type hal_ir_default, domain;
-hal_server_domain(hal_ir_default, hal_ir)
-
-type hal_ir_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_ir_default)

diff --git a/microdroid/sepolicy/vendor/hal_keymaster_default.te b/microdroid/sepolicy/vendor/hal_keymaster_default.te
deleted file mode 100644
index 6f0d82a..0000000
--- a/microdroid/sepolicy/vendor/hal_keymaster_default.te
+++ /dev/null

@@ -1,7 +0,0 @@
-type hal_keymaster_default, domain;
-hal_server_domain(hal_keymaster_default, hal_keymaster)
-
-type hal_keymaster_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_keymaster_default)
-
-get_prop(hal_keymaster_default, vendor_security_patch_level_prop);

diff --git a/microdroid/sepolicy/vendor/hal_light_default.te b/microdroid/sepolicy/vendor/hal_light_default.te
deleted file mode 100644
index c7fa9a1..0000000
--- a/microdroid/sepolicy/vendor/hal_light_default.te
+++ /dev/null

@@ -1,5 +0,0 @@
-type hal_light_default, domain;
-hal_server_domain(hal_light_default, hal_light)
-
-type hal_light_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_light_default)

diff --git a/microdroid/sepolicy/vendor/hal_lowpan_default.te b/microdroid/sepolicy/vendor/hal_lowpan_default.te
deleted file mode 100644
index a49bf24..0000000
--- a/microdroid/sepolicy/vendor/hal_lowpan_default.te
+++ /dev/null

@@ -1,5 +0,0 @@
-type hal_lowpan_default, domain;
-type hal_lowpan_default_exec, exec_type, vendor_file_type, file_type;
-
-hal_server_domain(hal_lowpan_default, hal_lowpan)
-init_daemon_domain(hal_lowpan_default)

diff --git a/microdroid/sepolicy/vendor/hal_memtrack_default.te b/microdroid/sepolicy/vendor/hal_memtrack_default.te
deleted file mode 100644
index c547699..0000000
--- a/microdroid/sepolicy/vendor/hal_memtrack_default.te
+++ /dev/null

@@ -1,5 +0,0 @@
-type hal_memtrack_default, domain;
-hal_server_domain(hal_memtrack_default, hal_memtrack)
-
-type hal_memtrack_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_memtrack_default)

diff --git a/microdroid/sepolicy/vendor/hal_nfc_default.te b/microdroid/sepolicy/vendor/hal_nfc_default.te
deleted file mode 100644
index c13baa7..0000000
--- a/microdroid/sepolicy/vendor/hal_nfc_default.te
+++ /dev/null

@@ -1,5 +0,0 @@
-type hal_nfc_default, domain;
-hal_server_domain(hal_nfc_default, hal_nfc)
-
-type hal_nfc_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_nfc_default)

diff --git a/microdroid/sepolicy/vendor/hal_oemlock_default.te b/microdroid/sepolicy/vendor/hal_oemlock_default.te
deleted file mode 100644
index 8597f2c..0000000
--- a/microdroid/sepolicy/vendor/hal_oemlock_default.te
+++ /dev/null

@@ -1,5 +0,0 @@
-type hal_oemlock_default, domain;
-hal_server_domain(hal_oemlock_default, hal_oemlock)
-
-type hal_oemlock_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_oemlock_default)

diff --git a/microdroid/sepolicy/vendor/hal_power_default.te b/microdroid/sepolicy/vendor/hal_power_default.te
deleted file mode 100644
index 3be4f22..0000000
--- a/microdroid/sepolicy/vendor/hal_power_default.te
+++ /dev/null

@@ -1,5 +0,0 @@
-type hal_power_default, domain;
-hal_server_domain(hal_power_default, hal_power)
-
-type hal_power_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_power_default)

diff --git a/microdroid/sepolicy/vendor/hal_power_stats_default.te b/microdroid/sepolicy/vendor/hal_power_stats_default.te
deleted file mode 100644
index b7a2c02..0000000
--- a/microdroid/sepolicy/vendor/hal_power_stats_default.te
+++ /dev/null

@@ -1,5 +0,0 @@
-type hal_power_stats_default, domain;
-hal_server_domain(hal_power_stats_default, hal_power_stats)
-
-type hal_power_stats_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_power_stats_default)

diff --git a/microdroid/sepolicy/vendor/hal_radio_config_default.te b/microdroid/sepolicy/vendor/hal_radio_config_default.te
deleted file mode 100644
index ccbe5bf..0000000
--- a/microdroid/sepolicy/vendor/hal_radio_config_default.te
+++ /dev/null

@@ -1,6 +0,0 @@
-type hal_radio_config_default, domain;
-hal_server_domain(hal_radio_config_default, hal_telephony)
-
-type hal_radio_config_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_radio_config_default)
-

diff --git a/microdroid/sepolicy/vendor/hal_radio_default.te b/microdroid/sepolicy/vendor/hal_radio_default.te
deleted file mode 100644
index 82fd40e..0000000
--- a/microdroid/sepolicy/vendor/hal_radio_default.te
+++ /dev/null

@@ -1,6 +0,0 @@
-type hal_radio_default, domain;
-hal_server_domain(hal_radio_default, hal_telephony)
-
-type hal_radio_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_radio_default)
-

diff --git a/microdroid/sepolicy/vendor/hal_rebootescrow_default.te b/microdroid/sepolicy/vendor/hal_rebootescrow_default.te
deleted file mode 100644
index 2625693..0000000
--- a/microdroid/sepolicy/vendor/hal_rebootescrow_default.te
+++ /dev/null

@@ -1,10 +0,0 @@
-type hal_rebootescrow_default, domain;
-hal_server_domain(hal_rebootescrow_default, hal_rebootescrow)
-get_prop(hal_rebootescrow_default, rebootescrow_hal_prop);
-
-type hal_rebootescrow_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_rebootescrow_default)
-
-type rebootescrow_device, dev_type;
-allow hal_rebootescrow_default rebootescrow_device:{ chr_file blk_file } rw_file_perms;
-allow hal_rebootescrow_default block_device:dir search;

diff --git a/microdroid/sepolicy/vendor/hal_secure_element_default.te b/microdroid/sepolicy/vendor/hal_secure_element_default.te
deleted file mode 100644
index b1a94a1..0000000
--- a/microdroid/sepolicy/vendor/hal_secure_element_default.te
+++ /dev/null

@@ -1,7 +0,0 @@
-type hal_secure_element_default, domain;
-hal_server_domain(hal_secure_element_default, hal_secure_element)
-type hal_secure_element_default_exec, exec_type, vendor_file_type, file_type;
-
-allow hal_secure_element_default secure_element_device:chr_file rw_file_perms;
-
-init_daemon_domain(hal_secure_element_default)

diff --git a/microdroid/sepolicy/vendor/hal_sensors_default.te b/microdroid/sepolicy/vendor/hal_sensors_default.te
deleted file mode 100644
index 8752364..0000000
--- a/microdroid/sepolicy/vendor/hal_sensors_default.te
+++ /dev/null

@@ -1,23 +0,0 @@
-type hal_sensors_default, domain;
-hal_server_domain(hal_sensors_default, hal_sensors)
-
-type hal_sensors_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_sensors_default)
-
-allow hal_sensors_default fwk_scheduler_hwservice:hwservice_manager find;
-
-allow hal_sensors_default input_device:dir r_dir_perms;
-allow hal_sensors_default input_device:chr_file r_file_perms;
-
-# Allow sensor hals to access and use gralloc memory allocated by
-# android.hardware.graphics.allocator
-allow hal_sensors_default hal_graphics_allocator_default:fd use;
-allow hal_sensors_default ion_device:chr_file r_file_perms;
-allow hal_sensors_default dmabuf_system_heap_device:chr_file r_file_perms;
-
-# allow sensor hal to use lock for keeping system awake for wake up
-# events delivery.
-wakelock_use(hal_sensors_default);
-
-# allow sensor hal to use ashmem fd from system_server.
-allow hal_sensors_default system_server:fd use;

diff --git a/microdroid/sepolicy/vendor/hal_tetheroffload_default.te b/microdroid/sepolicy/vendor/hal_tetheroffload_default.te
deleted file mode 100644
index 03c542b..0000000
--- a/microdroid/sepolicy/vendor/hal_tetheroffload_default.te
+++ /dev/null

@@ -1,5 +0,0 @@
-type hal_tetheroffload_default, domain;
-hal_server_domain(hal_tetheroffload_default, hal_tetheroffload)
-
-type hal_tetheroffload_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_tetheroffload_default)

diff --git a/microdroid/sepolicy/vendor/hal_thermal_default.te b/microdroid/sepolicy/vendor/hal_thermal_default.te
deleted file mode 100644
index 73b2eff..0000000
--- a/microdroid/sepolicy/vendor/hal_thermal_default.te
+++ /dev/null

@@ -1,5 +0,0 @@
-type hal_thermal_default, domain;
-hal_server_domain(hal_thermal_default, hal_thermal)
-
-type hal_thermal_default_exec, exec_type, vendor_file_type, vendor_file_type, file_type;
-init_daemon_domain(hal_thermal_default)

diff --git a/microdroid/sepolicy/vendor/hal_tv_cec_default.te b/microdroid/sepolicy/vendor/hal_tv_cec_default.te
deleted file mode 100644
index 080e73b..0000000
--- a/microdroid/sepolicy/vendor/hal_tv_cec_default.te
+++ /dev/null

@@ -1,5 +0,0 @@
-type hal_tv_cec_default, domain;
-hal_server_domain(hal_tv_cec_default, hal_tv_cec)
-
-type hal_tv_cec_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_tv_cec_default)

diff --git a/microdroid/sepolicy/vendor/hal_tv_input_default.te b/microdroid/sepolicy/vendor/hal_tv_input_default.te
deleted file mode 100644
index 12d9743..0000000
--- a/microdroid/sepolicy/vendor/hal_tv_input_default.te
+++ /dev/null

@@ -1,6 +0,0 @@
-type hal_tv_input_default, domain;
-hal_server_domain(hal_tv_input_default, hal_tv_input)
-
-type hal_tv_input_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_tv_input_default)
-

diff --git a/microdroid/sepolicy/vendor/hal_tv_tuner_default.te b/microdroid/sepolicy/vendor/hal_tv_tuner_default.te
deleted file mode 100644
index 639c7bd..0000000
--- a/microdroid/sepolicy/vendor/hal_tv_tuner_default.te
+++ /dev/null

@@ -1,10 +0,0 @@
-type hal_tv_tuner_default, domain;
-hal_server_domain(hal_tv_tuner_default, hal_tv_tuner)
-
-type hal_tv_tuner_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_tv_tuner_default)
-
-allow hal_tv_tuner_default ion_device:chr_file r_file_perms;
-
-# Access to /dev/dma_heap/system
-allow hal_tv_tuner_default dmabuf_system_heap_device:chr_file r_file_perms;

diff --git a/microdroid/sepolicy/vendor/hal_usb_default.te b/microdroid/sepolicy/vendor/hal_usb_default.te
deleted file mode 100644
index 5642a2a..0000000
--- a/microdroid/sepolicy/vendor/hal_usb_default.te
+++ /dev/null

@@ -1,5 +0,0 @@
-type hal_usb_default, domain;
-hal_server_domain(hal_usb_default, hal_usb)
-
-type hal_usb_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_usb_default)

diff --git a/microdroid/sepolicy/vendor/hal_usb_gadget_default.te b/microdroid/sepolicy/vendor/hal_usb_gadget_default.te
deleted file mode 100644
index f1486b9..0000000
--- a/microdroid/sepolicy/vendor/hal_usb_gadget_default.te
+++ /dev/null

@@ -1,5 +0,0 @@
-type hal_usb_gadget_default, domain;
-hal_server_domain(hal_usb_gadget_default, hal_usb_gadget)
-
-type hal_usb_gadget_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_usb_gadget_default)

diff --git a/microdroid/sepolicy/vendor/hal_vehicle_default.te b/microdroid/sepolicy/vendor/hal_vehicle_default.te
deleted file mode 100644
index 56a47b7..0000000
--- a/microdroid/sepolicy/vendor/hal_vehicle_default.te
+++ /dev/null

@@ -1,10 +0,0 @@
-# vehicle subsystem
-type hal_vehicle_default, domain;
-hal_server_domain(hal_vehicle_default, hal_vehicle)
-
-# may be started by init
-type hal_vehicle_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_vehicle_default)
-
-# communication with CAN bus HAL
-hal_client_domain(hal_vehicle_default, hal_can_bus)

diff --git a/microdroid/sepolicy/vendor/hal_vibrator_default.te b/microdroid/sepolicy/vendor/hal_vibrator_default.te
deleted file mode 100644
index 6c10d8a..0000000
--- a/microdroid/sepolicy/vendor/hal_vibrator_default.te
+++ /dev/null

@@ -1,5 +0,0 @@
-type hal_vibrator_default, domain;
-hal_server_domain(hal_vibrator_default, hal_vibrator)
-
-type hal_vibrator_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_vibrator_default)

diff --git a/microdroid/sepolicy/vendor/hal_vr_default.te b/microdroid/sepolicy/vendor/hal_vr_default.te
deleted file mode 100644
index 6a60192..0000000
--- a/microdroid/sepolicy/vendor/hal_vr_default.te
+++ /dev/null

@@ -1,5 +0,0 @@
-type hal_vr_default, domain;
-hal_server_domain(hal_vr_default, hal_vr)
-
-type hal_vr_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_vr_default)

diff --git a/microdroid/sepolicy/vendor/hal_weaver_default.te b/microdroid/sepolicy/vendor/hal_weaver_default.te
deleted file mode 100644
index 0dd7679..0000000
--- a/microdroid/sepolicy/vendor/hal_weaver_default.te
+++ /dev/null

@@ -1,5 +0,0 @@
-type hal_weaver_default, domain;
-hal_server_domain(hal_weaver_default, hal_weaver)
-
-type hal_weaver_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_weaver_default)

diff --git a/microdroid/sepolicy/vendor/hal_wifi_default.te b/microdroid/sepolicy/vendor/hal_wifi_default.te
deleted file mode 100644
index 75a9842..0000000
--- a/microdroid/sepolicy/vendor/hal_wifi_default.te
+++ /dev/null

@@ -1,5 +0,0 @@
-type hal_wifi_default, domain;
-hal_server_domain(hal_wifi_default, hal_wifi)
-
-type hal_wifi_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_wifi_default)

diff --git a/microdroid/sepolicy/vendor/hal_wifi_hostapd_default.te b/microdroid/sepolicy/vendor/hal_wifi_hostapd_default.te
deleted file mode 100644
index 1e0dcb8..0000000
--- a/microdroid/sepolicy/vendor/hal_wifi_hostapd_default.te
+++ /dev/null

@@ -1,12 +0,0 @@
-# hostapd or equivalent
-type hal_wifi_hostapd_default, domain;
-hal_server_domain(hal_wifi_hostapd_default, hal_wifi_hostapd)
-type hal_wifi_hostapd_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_wifi_hostapd_default)
-
-net_domain(hal_wifi_hostapd_default)
-
-# Allow hostapd to access it's data folder
-allow hal_wifi_hostapd_default hostapd_data_file:dir create_dir_perms;
-allow hal_wifi_hostapd_default hostapd_data_file:file create_file_perms;
-allow hal_wifi_hostapd_default hostapd_data_file:sock_file create_file_perms;

diff --git a/microdroid/sepolicy/vendor/hal_wifi_supplicant_default.te b/microdroid/sepolicy/vendor/hal_wifi_supplicant_default.te
deleted file mode 100644
index b6b9e09..0000000
--- a/microdroid/sepolicy/vendor/hal_wifi_supplicant_default.te
+++ /dev/null

@@ -1,32 +0,0 @@
-# wpa supplicant or equivalent
-type hal_wifi_supplicant_default, domain;
-hal_server_domain(hal_wifi_supplicant_default, hal_wifi_supplicant)
-type hal_wifi_supplicant_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_wifi_supplicant_default)
-
-net_domain(hal_wifi_supplicant_default)
-# Create a socket for receiving info from wpa
-type_transition hal_wifi_supplicant_default wifi_data_file:dir wpa_socket "sockets";
-
-# Allow wpa_supplicant to configure nl80211
-allow hal_wifi_supplicant_default proc_net_type:file write;
-
-# Allow wpa_supplicant to talk to Wifi Keystore HwBinder service.
-hwbinder_use(hal_wifi_supplicant_default)
-allow hal_wifi_supplicant_default system_wifi_keystore_hwservice:hwservice_manager find;
-binder_call(hal_wifi_supplicant_default, wifi_keystore_service_server)
-
-allow hal_wifi_supplicant_default wpa_data_file:dir create_dir_perms;
-allow hal_wifi_supplicant_default wpa_data_file:file create_file_perms;
-allow hal_wifi_supplicant_default wpa_data_file:sock_file create_file_perms;
-
-# Write to security logs for audit.
-get_prop(hal_wifi_supplicant_default, device_logging_prop)
-
-# Devices upgrading to P may grant this permission in device-specific
-# policy along with the data_between_core_and_vendor_violators
-# attribute needed for an exemption.  However, devices that launch with
-# P should use /data/vendor/wifi, which is already granted in core
-# policy.  This is dontaudited here to avoid conditional
-# device-specific behavior in wpa_supplicant.
-dontaudit hal_wifi_supplicant_default wifi_data_file:dir search;

diff --git a/microdroid/sepolicy/vendor/keys.conf b/microdroid/sepolicy/vendor/keys.conf
deleted file mode 100644
index 71ad2c9..0000000
--- a/microdroid/sepolicy/vendor/keys.conf
+++ /dev/null

@@ -1,19 +0,0 @@
-#
-# Maps an arbitrary tag [TAGNAME] with the string contents found in
-# TARGET_BUILD_VARIANT. Common convention is to start TAGNAME with an @ and
-# name it after the base file name of the pem file.
-#
-# Each tag (section) then allows one to specify any string found in
-# TARGET_BUILD_VARIANT. Typcially this is user, eng, and userdebug. Another
-# option is to use ALL which will match ANY TARGET_BUILD_VARIANT string.
-#
-
-# Some vendor apps are using platform key for signing.
-# This moves them to untrusted_app domain when the system partition is
-# switched to a Generic System Image (GSI), because the value of platform's
-# seinfo in /system/etc/selinux/plat_mac_permissions.xml has been changed.
-# Duplicating the device-specific platform seinfo into
-# /vendor/etc/selinux/vendor_mac_permissions.xml to make it self-contained
-# within the vendor partition.
-[@PLATFORM]
-ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/platform.x509.pem

diff --git a/microdroid/sepolicy/vendor/mac_permissions.xml b/microdroid/sepolicy/vendor/mac_permissions.xml
deleted file mode 100644
index 2d6fab0..0000000
--- a/microdroid/sepolicy/vendor/mac_permissions.xml
+++ /dev/null

@@ -1,53 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<policy>
-
-<!--
-
-    * A signature is a hex encoded X.509 certificate or a tag defined in
-      keys.conf and is required for each signer tag. The signature can
-      either appear as a set of attached cert child tags or as an attribute.
-    * A signer tag must contain a seinfo tag XOR multiple package stanzas.
-    * Each signer/package tag is allowed to contain one seinfo tag. This tag
-      represents additional info that each app can use in setting a SELinux security
-      context on the eventual process as well as the apps data directory.
-    * seinfo assignments are made according to the following rules:
-      - Stanzas with package name refinements will be checked first.
-      - Stanzas w/o package name refinements will be checked second.
-      - The "default" seinfo label is automatically applied.
-
-    * valid stanzas can take one of the following forms:
-
-     // single cert protecting seinfo
-     <signer signature="@PLATFORM" >
-       <seinfo value="platform" />
-     </signer>
-
-     // multiple certs protecting seinfo (all contained certs must match)
-     <signer>
-       <cert signature="@PLATFORM1"/>
-       <cert signature="@PLATFORM2"/>
-       <seinfo value="platform" />
-     </signer>
-
-     // single cert protecting explicitly named app
-     <signer signature="@PLATFORM" >
-       <package name="com.android.foo">
-         <seinfo value="bar" />
-       </package>
-     </signer>
-
-     // multiple certs protecting explicitly named app (all certs must match)
-     <signer>
-       <cert signature="@PLATFORM1"/>
-       <cert signature="@PLATFORM2"/>
-       <package name="com.android.foo">
-         <seinfo value="bar" />
-       </package>
-     </signer>
--->
-
-    <!-- Vendor dev key in AOSP -->
-    <signer signature="@PLATFORM" >
-      <seinfo value="platform" />
-    </signer>
-</policy>

diff --git a/microdroid/sepolicy/vendor/mediacodec.te b/microdroid/sepolicy/vendor/mediacodec.te
deleted file mode 100644
index f78b58f..0000000
--- a/microdroid/sepolicy/vendor/mediacodec.te
+++ /dev/null

@@ -1,38 +0,0 @@
-type mediacodec, domain, mlstrustedsubject;
-type mediacodec_exec, exec_type, vendor_file_type, file_type;
-
-init_daemon_domain(mediacodec)
-
-# can route /dev/binder traffic to /dev/vndbinder
-vndbinder_use(mediacodec)
-
-hal_server_domain(mediacodec, hal_codec2)
-hal_server_domain(mediacodec, hal_omx)
-
-# mediacodec may use an input surface from a different Codec2 or OMX service
-hal_client_domain(mediacodec, hal_codec2)
-hal_client_domain(mediacodec, hal_omx)
-
-hal_client_domain(mediacodec, hal_allocator)
-hal_client_domain(mediacodec, hal_graphics_allocator)
-
-allow mediacodec gpu_device:chr_file rw_file_perms;
-allow mediacodec ion_device:chr_file rw_file_perms;
-allow mediacodec dmabuf_system_heap_device:chr_file r_file_perms;
-allow mediacodec video_device:chr_file rw_file_perms;
-allow mediacodec video_device:dir search;
-
-crash_dump_fallback(mediacodec)
-
-# get aac_drc_* properties
-get_prop(mediacodec, aac_drc_prop)
-
-# mediacodec should never execute any executable without a domain transition
-neverallow mediacodec { file_type fs_type }:file execute_no_trans;
-
-# Media processing code is inherently risky and thus should have limited
-# permissions and be isolated from the rest of the system and network.
-# Lengthier explanation here:
-# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediacodec domain:{ tcp_socket udp_socket rawip_socket } *;
-

diff --git a/microdroid/sepolicy/vendor/rild.te b/microdroid/sepolicy/vendor/rild.te
deleted file mode 100644
index fc84ef7..0000000
--- a/microdroid/sepolicy/vendor/rild.te
+++ /dev/null

@@ -1,9 +0,0 @@
-# rild - radio interface layer daemon
-type rild, domain;
-hal_server_domain(rild, hal_telephony)
-net_domain(rild)
-
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
-type rild_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(rild)

diff --git a/microdroid/sepolicy/vendor/tee.te b/microdroid/sepolicy/vendor/tee.te
deleted file mode 100644
index 4b2e6c7..0000000
--- a/microdroid/sepolicy/vendor/tee.te
+++ /dev/null

@@ -1,17 +0,0 @@
-##
-# trusted execution environment (tee) daemon
-#
-type tee_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(tee)
-
-allow tee self:global_capability_class_set { dac_override };
-allow tee tee_device:chr_file rw_file_perms;
-allow tee tee_data_file:dir rw_dir_perms;
-allow tee tee_data_file:file create_file_perms;
-allow tee self:netlink_socket create_socket_perms_no_ioctl;
-allow tee self:netlink_generic_socket create_socket_perms_no_ioctl;
-allow tee ion_device:chr_file r_file_perms;
-r_dir_file(tee, sysfs_type)
-
-allow tee system_data_file:file { getattr read };
-allow tee system_data_file:lnk_file { getattr read };

diff --git a/microdroid/sepolicy/vendor/vendor_install_recovery.te b/microdroid/sepolicy/vendor/vendor_install_recovery.te
deleted file mode 100644
index ff63f75..0000000
--- a/microdroid/sepolicy/vendor/vendor_install_recovery.te
+++ /dev/null

@@ -1,24 +0,0 @@
-init_daemon_domain(vendor_install_recovery)
-
-# service vendor_flash_recovery in
-# bootable/recovery/applypatch/vendor_flash_recovery.rc
-type vendor_install_recovery, domain;
-type vendor_install_recovery_exec, vendor_file_type, exec_type, file_type;
-
-# /vendor/bin/install-recovery.sh is a shell script.
-# Needs to execute /vendor/bin/sh
-allow vendor_install_recovery vendor_shell_exec:file rx_file_perms;
-
-# Execute /vendor/bin/applypatch
-allow vendor_install_recovery vendor_file:file rx_file_perms;
-not_full_treble(`allow vendor_install_recovery vendor_file:file rx_file_perms;')
-
-allow vendor_install_recovery vendor_toolbox_exec:file rx_file_perms;
-
-# Update the recovery block device based off a diff of the boot block device
-allow vendor_install_recovery block_device:dir search;
-allow vendor_install_recovery boot_block_device:blk_file r_file_perms;
-allow vendor_install_recovery recovery_block_device:blk_file rw_file_perms;
-
-# Write to /proc/sys/vm/drop_caches
-allow vendor_install_recovery proc_drop_caches:file w_file_perms;

diff --git a/microdroid/sepolicy/vendor/vendor_misc_writer.te b/microdroid/sepolicy/vendor/vendor_misc_writer.te
deleted file mode 100644
index 245749e..0000000
--- a/microdroid/sepolicy/vendor/vendor_misc_writer.te
+++ /dev/null

@@ -1 +0,0 @@
-init_daemon_domain(vendor_misc_writer)

diff --git a/microdroid/sepolicy/vendor/vendor_modprobe.te b/microdroid/sepolicy/vendor/vendor_modprobe.te
deleted file mode 100644
index 3f5918c..0000000
--- a/microdroid/sepolicy/vendor/vendor_modprobe.te
+++ /dev/null

@@ -1,11 +0,0 @@
-# For the use of /vendor/bin/modprobe from vendor init.rc fragments
-domain_trans(init, vendor_toolbox_exec, vendor_modprobe)
-
-allow vendor_modprobe proc_modules:file r_file_perms;
-allow vendor_modprobe proc_cmdline:file r_file_perms;
-allow vendor_modprobe kmsg_device:chr_file w_file_perms;
-allow vendor_modprobe self:global_capability_class_set sys_module;
-allow vendor_modprobe kernel:key search;
-
-allow vendor_modprobe { vendor_file }:system module_load;
-r_dir_file(vendor_modprobe, { vendor_file })

diff --git a/microdroid/sepolicy/vendor/vndservice_contexts b/microdroid/sepolicy/vendor/vndservice_contexts
deleted file mode 100644
index 068056f..0000000
--- a/microdroid/sepolicy/vendor/vndservice_contexts
+++ /dev/null

@@ -1,2 +0,0 @@
-manager                 u:object_r:service_manager_vndservice:s0
-*                       u:object_r:default_android_vndservice:s0

diff --git a/microdroid/sepolicy/vendor/vndservicemanager.te b/microdroid/sepolicy/vendor/vndservicemanager.te
deleted file mode 100644
index 497e027..0000000
--- a/microdroid/sepolicy/vendor/vndservicemanager.te
+++ /dev/null

@@ -1,22 +0,0 @@
-# vndservicemanager - the Binder context manager for vendor processes
-type vndservicemanager_exec, exec_type, vendor_file_type, file_type;
-
-init_daemon_domain(vndservicemanager);
-
-allow vndservicemanager self:binder set_context_mgr;
-
-# transfer binder objects to other processes (TODO b/35870313 limit this to vendor-only)
-allow vndservicemanager { domain -coredomain -init -vendor_init }:binder transfer;
-
-allow vndservicemanager vndbinder_device:chr_file rw_file_perms;
-
-# Read vndservice_contexts
-allow vndservicemanager vndservice_contexts_file:file r_file_perms;
-
-add_service(vndservicemanager, service_manager_vndservice)
-
-# Start lazy services
-set_prop(vndservicemanager, ctl_interface_start_prop)
-
-# Check SELinux permissions.
-selinux_check_access(vndservicemanager)
commit	c3adddb70c592220ea49d94201c933f62707ae27	[log] [tgz]
author	Inseob Kim <inseob@google.com>	Fri Jun 18 21:29:15 2021 +0900
committer	Inseob Kim <inseob@google.com>	Fri Jun 18 21:29:15 2021 +0900
tree	e7d4e93afe035a0fe3710fe0b44845ed766bc12a
parent	dd240f63ab54c5f77c52f6feb42fd71920b95df7 [diff]