commit 2f0bcc1b0a36bf60bbc511ac90e900cc1ac74c26
author Inseob Kim <inseob@google.com> Mon Sep 25 11:01:44 2023 +0900
committer Inseob Kim <inseob@google.com> Mon Sep 25 11:19:44 2023 +0900
tree bc7489d9d0881453cfc7583c01f9bc017e32878c
parent fcc90e8af26dc6e3f635625414c594092a959a69

Remove remaining APEX sepolicy types

Bug: 297794885
Test: boot cuttlefish
Change-Id: I2ff465217adcf1bb0267ea6d487a9a46b6584458

microdroid/system/private/file.te

diff --git a/microdroid/system/private/file.te b/microdroid/system/private/file.te
index c6ed654..62ca9b7 100644
--- a/microdroid/system/private/file.te
+++ b/microdroid/system/private/file.te
@@ -14,10 +14,6 @@
 
 type authfs_fuse, fs_type, contextmount_type;
 
-# /dev/selinux/test - used to verify that apex sepolicy is loaded and
-# property labeled.
-type sepolicy_test_file, file_type;
-
 # /system/bin/mke2fs - used to format encryptedstore block device
 type e2fs_exec, system_file_type, exec_type, file_type;
 

microdroid/system/private/kernel.te

diff --git a/microdroid/system/private/kernel.te b/microdroid/system/private/kernel.te
index e81173d..1d03c4a 100644
--- a/microdroid/system/private/kernel.te
+++ b/microdroid/system/private/kernel.te
@@ -81,16 +81,3 @@
 
 #-----------------------------------------
 allow kernel apkdmverity:fd use;
-
-# Some contexts are changed before the device is flipped into enforcing mode
-# during the setup of Apex sepolicy. These denials can be suppressed since
-# the permissions should not be allowed after the device is flipped into
-# enforcing mode.
-dontaudit kernel device:dir { open read relabelto };
-dontaudit kernel tmpfs:file { getattr open read relabelfrom };
-dontaudit kernel {
-  file_contexts_file
-  property_contexts_file
-  sepolicy_test_file
-  service_contexts_file
-}:file relabelto;

private/apexd.te

diff --git a/private/apexd.te b/private/apexd.te
index f158ef6..b62e6e6 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -13,14 +13,6 @@
 allow apexd apex_metadata_file:dir create_dir_perms;
 allow apexd apex_metadata_file:file create_file_perms;
 
-# Allow creating and writing APEX files/dirs in the SEPolicy metadata dir
-allow apexd sepolicy_metadata_file:dir create_dir_perms;
-allow apexd sepolicy_metadata_file:file create_file_perms;
-# Allow apexd to setup fs-verity for SEPolicy files in metadata
-allowxperm apexd sepolicy_metadata_file:file ioctl  {
-  FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
-};
-
 # Allow reserving space on /data/apex/ota_reserved for apex decompression
 allow apexd apex_ota_reserved_file:dir create_dir_perms;
 allow apexd apex_ota_reserved_file:file create_file_perms;

private/file.te

diff --git a/private/file.te b/private/file.te
index ee5f047..f4c3e2d 100644
--- a/private/file.te
+++ b/private/file.te
@@ -118,13 +118,6 @@
 # /apex/com.android.compos/bin/compos_key_helper
 type compos_key_helper_exec, exec_type, file_type, system_file_type;
 
-# /metadata/sepolicy
-type sepolicy_metadata_file, file_type;
-
-# /dev/selinux/test - used to verify that apex sepolicy is loaded and
-# property labeled.
-type sepolicy_test_file, file_type;
-
 # /apex/com.android.art/bin/art_exec
 # This executable does not have its own domain because it is executed in the caller's domain. For
 # example, it is executed in the `artd` domain when artd calls it.

private/file_contexts

diff --git a/private/file_contexts b/private/file_contexts
index 2b9efc9..1049273 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -205,14 +205,6 @@
 #
 /linkerconfig(/.*)?          u:object_r:linkerconfig_file:s0
 
-# Apex sepoolicy files.
-/dev/selinux/apex_file_contexts                 u:object_r:file_contexts_file:s0
-/dev/selinux/apex_seapp_contexts                u:object_r:seapp_contexts_file:s0
-/dev/selinux/apex_service_contexts              u:object_r:service_contexts_file:s0
-/dev/selinux/apex_property_contexts             u:object_r:property_contexts_file:s0
-/dev/selinux/apex_hwservice_contexts            u:object_r:hwservice_contexts_file:s0
-/dev/selinux/apex_mac_permissions\.xml          u:object_r:mac_perms_file:s0
-
 #############################
 # System files
 #
@@ -844,7 +836,6 @@
 /metadata/password_slots(/.*)?    u:object_r:password_slot_metadata_file:s0
 /metadata/ota(/.*)?       u:object_r:ota_metadata_file:s0
 /metadata/bootstat(/.*)?  u:object_r:metadata_bootstat_file:s0
-/metadata/sepolicy(/.*)?    u:object_r:sepolicy_metadata_file:s0
 /metadata/staged-install(/.*)?    u:object_r:staged_install_file:s0
 /metadata/userspacereboot(/.*)?    u:object_r:userspace_reboot_metadata_file:s0
 /metadata/watchdog(/.*)?    u:object_r:watchdog_metadata_file:s0

private/kernel.te

diff --git a/private/kernel.te b/private/kernel.te
index 03ba79f..2d46b3e 100644
--- a/private/kernel.te
+++ b/private/kernel.te
@@ -44,19 +44,3 @@
 dontaudit kernel dm_user_device:chr_file { create setattr };
 dontaudit kernel tmpfs:lnk_file read;
 dontaudit kernel tmpfs:blk_file { open read };
-
-# Some contexts are changed before the device is flipped into enforcing mode
-# during the setup of Apex sepolicy. These denials can be suppressed since
-# the permissions should not be allowed after the device is flipped into
-# enforcing mode.
-dontaudit kernel device:dir { open read relabelto };
-dontaudit kernel tmpfs:file { getattr open read relabelfrom };
-dontaudit kernel {
-  file_contexts_file
-  hwservice_contexts_file
-  mac_perms_file
-  property_contexts_file
-  seapp_contexts_file
-  sepolicy_test_file
-  service_contexts_file
-}:file relabelto;