Merge "Remove policy for deprecated ART apex update scripts"
diff --git a/apex/com.android.art.debug-file_contexts b/apex/com.android.art.debug-file_contexts
index 8007efd..e47402f 100644
--- a/apex/com.android.art.debug-file_contexts
+++ b/apex/com.android.art.debug-file_contexts
@@ -6,5 +6,3 @@
/bin/dexoptanalyzer(d)? u:object_r:dexoptanalyzer_exec:s0
/bin/profman(d)? u:object_r:profman_exec:s0
/lib(64)?(/.*)? u:object_r:system_lib_file:s0
-/bin/art_preinstall_hook(.*)? u:object_r:art_apex_preinstall_exec:s0
-/bin/art_postinstall_hook(.*)? u:object_r:art_apex_postinstall_exec:s0
diff --git a/private/apexd.te b/private/apexd.te
index b7d6702..7fc1183 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -125,11 +125,6 @@
allow apexd system_bootstrap_lib_file:dir r_dir_perms;
allow apexd system_bootstrap_lib_file:file { execute read open getattr map };
-# Allow transition to ART APEX preinstall domain.
-domain_auto_trans(apexd, art_apex_preinstall_exec, art_apex_preinstall)
-# Allow transition to ART APEX postinstall domain.
-domain_auto_trans(apexd, art_apex_postinstall_exec, art_apex_postinstall)
-
# Allow transition to test APEX preinstall domain.
userdebug_or_eng(`
domain_auto_trans(apexd, apex_test_prepostinstall_exec, apex_test_prepostinstall)
diff --git a/private/art_apex_boot_integrity.te b/private/art_apex_boot_integrity.te
deleted file mode 100644
index ba02083..0000000
--- a/private/art_apex_boot_integrity.te
+++ /dev/null
@@ -1,28 +0,0 @@
-# This command set checks the integrity of boot classpath ART
-# artifacts in /data, potentially removing them.
-
-type art_apex_boot_integrity, domain, coredomain;
-type art_apex_boot_integrity_exec, system_file_type, exec_type, file_type;
-
-# Technically not a daemon but we do want the transition from init domain to
-# art_apex_boot_integrity to occur.
-init_daemon_domain(art_apex_boot_integrity)
-
-# Read dalvik cache directories, remove entries.
-allow art_apex_boot_integrity dalvikcache_data_file:dir { r_dir_perms write remove_name };
-# Read and possibly delete dalvik cache files.
-allow art_apex_boot_integrity dalvikcache_data_file:file { r_file_perms unlink };
-
-# Allow art_apex_boot_integrity to execute itself using #!/system/bin/sh
-allow art_apex_boot_integrity shell_exec:file rx_file_perms;
-
-# Allow running the mv and rm/rmdir commands using art_apex_boot_integrity
-# permissions.
-allow art_apex_boot_integrity toolbox_exec:file rx_file_perms;
-
-# Fsverity in the same domain.
-allow art_apex_boot_integrity system_file:file execute_no_trans;
-# Fsverity work.
-allowxperm art_apex_boot_integrity dalvikcache_data_file:file ioctl {
- FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
-};
diff --git a/private/art_apex_postinstall.te b/private/art_apex_postinstall.te
deleted file mode 100644
index 576ed20..0000000
--- a/private/art_apex_postinstall.te
+++ /dev/null
@@ -1,31 +0,0 @@
-# ART APEX postinstall.
-#
-
-type art_apex_postinstall, domain, coredomain;
-type art_apex_postinstall_exec, system_file_type, exec_type, file_type;
-
-# /system/bin/sh (see b/126787589).
-allow art_apex_postinstall apexd:fd use;
-
-# Read temp dirs and files. Move directories.
-allow art_apex_postinstall ota_data_file:dir { r_dir_perms write rename remove_name relabelfrom reparent };
-allow art_apex_postinstall ota_data_file:file { r_file_perms relabelfrom };
-# We're deleting the old /data/dalvik-cache/* and move the new ones
-# over.
-allow art_apex_postinstall dalvikcache_data_file:dir { create_dir_perms relabelto };
-allow art_apex_postinstall dalvikcache_data_file:file { r_file_perms unlink relabelto };
-
-# Required for relabel.
-allow art_apex_postinstall file_contexts_file:file r_file_perms;
-allow art_apex_postinstall self:global_capability_class_set sys_admin;
-
-# Script helpers.
-allow art_apex_postinstall shell_exec:file rx_file_perms;
-allow art_apex_postinstall toolbox_exec:file rx_file_perms;
-
-# Fsverity in the same domain.
-allow art_apex_postinstall system_file:file execute_no_trans;
-# Fsverity work.
-allowxperm art_apex_postinstall ota_data_file:file ioctl {
- FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
-};
diff --git a/private/art_apex_preinstall.te b/private/art_apex_preinstall.te
deleted file mode 100644
index 12b1020..0000000
--- a/private/art_apex_preinstall.te
+++ /dev/null
@@ -1,33 +0,0 @@
-# ART APEX preinstall.
-#
-
-type art_apex_preinstall, domain, coredomain;
-type art_apex_preinstall_exec, system_file_type, exec_type, file_type;
-
-# /system/bin/sh (see b/126787589).
-allow art_apex_preinstall apexd:fd use;
-
-# Create temp dirs and files under /data/ota.
-allow art_apex_preinstall ota_data_file:dir create_dir_perms;
-allow art_apex_preinstall ota_data_file:file create_file_perms;
-# We mount /data/ota/dalvik-cache over /data/dalvik-cache in our
-# mount namespace.
-allow art_apex_preinstall dalvikcache_data_file:dir { r_dir_perms mounton };
-allow art_apex_preinstall self:capability sys_admin;
-
-# Script helpers.
-allow art_apex_preinstall shell_exec:file rx_file_perms;
-allow art_apex_preinstall toolbox_exec:file rx_file_perms;
-
-# Execute subscripts in the same domain.
-allow art_apex_preinstall art_apex_preinstall_exec:file execute_no_trans;
-
-# Run dex2oat.
-domain_auto_trans(art_apex_preinstall, dex2oat_exec, dex2oat)
-
-# Fsverity in the same domain.
-allow art_apex_preinstall system_file:file execute_no_trans;
-# Fsverity work.
-allowxperm art_apex_preinstall ota_data_file:file ioctl {
- FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
-};
diff --git a/private/dex2oat.te b/private/dex2oat.te
index c257f1a..50e43ad 100644
--- a/private/dex2oat.te
+++ b/private/dex2oat.te
@@ -72,7 +72,6 @@
allow dex2oat apexd:fd use;
# Allow dex2oat to use file descriptors from preinstall.
-allow dex2oat art_apex_preinstall:fd use;
##############
# Neverallow #
diff --git a/private/domain.te b/private/domain.te
index 3669d76..5cc313a 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -257,8 +257,6 @@
-cppreopts
-dex2oat
-otapreopt_slot
- -art_apex_postinstall
- -art_apex_boot_integrity
} dalvikcache_data_file:file no_w_file_perms;
neverallow {
@@ -270,8 +268,6 @@
-dex2oat
-zygote
-otapreopt_slot
- -art_apex_boot_integrity
- -art_apex_postinstall
} dalvikcache_data_file:dir no_w_dir_perms;
# Minimize dac_override and dac_read_search.
diff --git a/private/file_contexts b/private/file_contexts
index efb2c14..84fb2a7 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -258,7 +258,6 @@
/system/bin/installd u:object_r:installd_exec:s0
/system/bin/otapreopt_chroot u:object_r:otapreopt_chroot_exec:s0
/system/bin/otapreopt_slot u:object_r:otapreopt_slot_exec:s0
-/system/bin/art_apex_boot_integrity u:object_r:art_apex_boot_integrity_exec:s0
/system/bin/credstore u:object_r:credstore_exec:s0
/system/bin/keystore u:object_r:keystore_exec:s0
/system/bin/keystore2 u:object_r:keystore_exec:s0