[sepolicy] remove vendor_incremental_module from global sepolicy rules
(Cherry-picking)
Moving to coral-sepolicy
BUG: 150882666
Test: atest PackageManagerShellCommandIncrementalTest
Merged-Id: I55f5d53ee32d0557e06c070961526631e1bb1fc5
Change-Id: Ia9c4d8240787b0d2b349764cac9d61b9d8731fa2
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index ff2dd0a..f4203f6 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -111,7 +111,6 @@
tv_tuner_resource_mgr_service
vendor_apex_file
vendor_boringssl_self_test
- vendor_incremental_module
vendor_install_recovery
vendor_install_recovery_exec
vendor_socket_hook_prop
diff --git a/private/file_contexts b/private/file_contexts
index ffc7f24..0cc68e7 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -375,7 +375,6 @@
/(vendor|system/vendor)/apex(/[^/]+){0,2} u:object_r:vendor_apex_file:s0
/(vendor|system/vendor)/bin/misc_writer u:object_r:vendor_misc_writer_exec:s0
/(vendor|system/vendor)/bin/boringssl_self_test(32|64) u:object_r:vendor_boringssl_self_test_exec:s0
-(/vendor|system/vendor)/lib(64)?/modules/incrementalfs\.ko u:object_r:vendor_incremental_module:s0
# HAL location
/(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0
diff --git a/public/domain.te b/public/domain.te
index 03f1d28..7bee8ec 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -990,6 +990,7 @@
-system_executes_vendor_violators
-traced_perf # library/binary access for symbolization
-ueventd # reads /vendor/ueventd.rc
+ -vold # loads incremental fs driver
} {
vendor_file_type
-same_process_hal_file
@@ -1003,7 +1004,6 @@
-vendor_overlay_file
-vendor_public_lib_file
-vendor_task_profiles_file
- -vendor_incremental_module
-vndk_sp_file
}:file *;
')
diff --git a/public/file.te b/public/file.te
index bb83a44..462e71d 100644
--- a/public/file.te
+++ b/public/file.te
@@ -211,8 +211,6 @@
# Type for all vendor public libraries. These libs should only be exposed to
# apps. ABI stability of these libs is vendor's responsibility.
type vendor_public_lib_file, vendor_file_type, file_type;
-# Default type for incremental file system driver
-type vendor_incremental_module, vendor_file_type, file_type;
# Input configuration
type vendor_keylayout_file, vendor_file_type, file_type;
diff --git a/public/vold.te b/public/vold.te
index 1f274fa..400e32a 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -52,11 +52,6 @@
FS_IOC_REMOVE_ENCRYPTION_KEY
};
-# Allow to load incremental file system driver
-allow vold self:capability sys_module;
-allow vold vendor_incremental_module:file r_file_perms;
-allow vold vendor_incremental_module:system module_load;
-
# Only vold and init should ever set file-based encryption policies.
neverallowxperm {
domain