Remove TZUvA feature.
The feature was superseded by tzdata mainline module(s).
Bug: 148144561
Test: see system/timezone
Test: m selinux_policy
Change-Id: I48d445ac723ae310b8a134371342fc4c0d202300
Merged-In: I48d445ac723ae310b8a134371342fc4c0d202300
diff --git a/private/compat/33.0/33.0.cil b/private/compat/33.0/33.0.cil
index 3a096be..d71298a 100644
--- a/private/compat/33.0/33.0.cil
+++ b/private/compat/33.0/33.0.cil
@@ -10,6 +10,10 @@
(type iorapd_exec)
(type iorapd_service)
(type iorapd_tmpfs)
+(type timezone_service)
+(type tzdatacheck)
+(type tzdatacheck_exec)
+(type zoneinfo_data_file)
(expandtypeattribute (DockObserver_service_33_0) true)
(expandtypeattribute (IProxyService_service_33_0) true)
diff --git a/private/file_contexts b/private/file_contexts
index addbb13..90d0d6e 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -325,7 +325,6 @@
/system/bin/viewcompiler u:object_r:viewcompiler_exec:s0
/system/bin/sgdisk u:object_r:sgdisk_exec:s0
/system/bin/blkid u:object_r:blkid_exec:s0
-/system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
/system/bin/flags_health_check -- u:object_r:flags_health_check_exec:s0
/system/bin/idmap u:object_r:idmap_exec:s0
/system/bin/idmap2(d)? u:object_r:idmap_exec:s0
@@ -653,7 +652,6 @@
/data/misc_ce/[0-9]+/wifi(/.*)? u:object_r:wifi_data_file:s0
/data/misc/wifi/sockets(/.*)? u:object_r:wpa_socket:s0
/data/misc/wifi/sockets/wpa_ctrl.* u:object_r:system_wpa_socket:s0
-/data/misc/zoneinfo(/.*)? u:object_r:zoneinfo_data_file:s0
/data/misc/vold(/.*)? u:object_r:vold_data_file:s0
/data/misc/update_engine(/.*)? u:object_r:update_engine_data_file:s0
/data/misc/update_engine_log(/.*)? u:object_r:update_engine_log_data_file:s0
diff --git a/private/perfetto.te b/private/perfetto.te
index 0904a67..45fa60b 100644
--- a/private/perfetto.te
+++ b/private/perfetto.te
@@ -116,17 +116,13 @@
# TODO(b/72998741) Remove exemption. Further restricted in a subsequent
# neverallow. Currently only getattr and search are allowed.
-vendor_data_file
- -zoneinfo_data_file
-perfetto_traces_data_file
-perfetto_configs_data_file
with_native_coverage(`-method_trace_data_file')
}:dir *;
neverallow perfetto { system_data_file -perfetto_traces_data_file }:dir ~{ getattr search };
-neverallow perfetto zoneinfo_data_file:dir ~r_dir_perms;
-neverallow perfetto { data_file_type -zoneinfo_data_file -perfetto_traces_data_file }:lnk_file *;
neverallow perfetto {
data_file_type
- -zoneinfo_data_file
-perfetto_traces_data_file
-perfetto_configs_data_file
with_native_coverage(`-method_trace_data_file')
diff --git a/private/platform_app.te b/private/platform_app.te
index b723633..972593f 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -67,7 +67,6 @@
allow platform_app persistent_data_block_service:service_manager find;
allow platform_app radio_service:service_manager find;
allow platform_app thermal_service:service_manager find;
-allow platform_app timezone_service:service_manager find;
allow platform_app app_api_service:service_manager find;
allow platform_app system_api_service:service_manager find;
allow platform_app vr_manager_service:service_manager find;
diff --git a/private/service_contexts b/private/service_contexts
index 1094151..1cd7136 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -347,7 +347,6 @@
texttospeech u:object_r:texttospeech_service:s0
time_detector u:object_r:timedetector_service:s0
time_zone_detector u:object_r:timezonedetector_service:s0
-timezone u:object_r:timezone_service:s0
thermalservice u:object_r:thermal_service:s0
tracing.proxy u:object_r:tracingproxy_service:s0
translation u:object_r:translation_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index 78817b1..2c300fa 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -613,10 +613,6 @@
allow system_server wifi_data_file:dir create_dir_perms;
allow system_server wifi_data_file:file create_file_perms;
-# Manage /data/misc/zoneinfo.
-allow system_server zoneinfo_data_file:dir create_dir_perms;
-allow system_server zoneinfo_data_file:file create_file_perms;
-
# Manage /data/app-staging.
allow system_server staging_data_file:dir create_dir_perms;
allow system_server staging_data_file:file create_file_perms;
diff --git a/private/traced.te b/private/traced.te
index 6810c35..3029094 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -93,15 +93,11 @@
# TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
# subsequent neverallow. Currently only getattr and search are allowed.
-vendor_data_file
- -zoneinfo_data_file
with_native_coverage(`-method_trace_data_file')
}:dir *;
neverallow traced { system_data_file }:dir ~{ getattr search };
-neverallow traced zoneinfo_data_file:dir ~r_dir_perms;
-neverallow traced { data_file_type -zoneinfo_data_file }:lnk_file *;
neverallow traced {
data_file_type
- -zoneinfo_data_file
-perfetto_traces_data_file
-perfetto_traces_bugreport_data_file
-trace_data_file
diff --git a/private/traced_probes.te b/private/traced_probes.te
index f2be14d..204ea08 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -139,15 +139,11 @@
# TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
# subsequent neverallow. Currently only getattr and search are allowed.
-vendor_data_file
- -zoneinfo_data_file
with_native_coverage(`-method_trace_data_file')
}:dir *;
neverallow traced_probes system_data_file:dir ~{ getattr userdebug_or_eng(`open read') search };
-neverallow traced_probes zoneinfo_data_file:dir ~r_dir_perms;
-neverallow traced_probes { data_file_type -zoneinfo_data_file }:lnk_file *;
neverallow traced_probes {
data_file_type
- -zoneinfo_data_file
-packages_list_file
with_native_coverage(`-method_trace_data_file')
-game_mode_intervention_list_file
diff --git a/private/tzdatacheck.te b/private/tzdatacheck.te
deleted file mode 100644
index 502735c..0000000
--- a/private/tzdatacheck.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute tzdatacheck coredomain;
-
-init_daemon_domain(tzdatacheck)
diff --git a/public/domain.te b/public/domain.te
index 4f60d9d..290580c 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -226,11 +226,10 @@
# read and stat any sysfs symlinks
allow domain sysfs:lnk_file { getattr read };
-# libc references /data/misc/zoneinfo and /system/usr/share/zoneinfo for
-# timezone related information.
+# libc references /system/usr/share/zoneinfo for timezone related information.
# This directory is considered to be a VNDK-stable
-allow domain { system_zoneinfo_file zoneinfo_data_file }:file r_file_perms;
-allow domain { system_zoneinfo_file zoneinfo_data_file }:dir r_dir_perms;
+allow domain { system_zoneinfo_file }:file r_file_perms;
+allow domain { system_zoneinfo_file }:dir r_dir_perms;
# Lots of processes access current CPU information
r_dir_file(domain, sysfs_devices_system_cpu)
@@ -835,11 +834,6 @@
-vendor_init
} {
core_data_file_type
- # libc includes functions like mktime and localtime which attempt to access
- # files in /data/misc/zoneinfo/tzdata and /system/usr/share/zoneinfo/tzdata.
- # These functions are considered vndk-stable and thus must be allowed for
- # all processes.
- -zoneinfo_data_file
with_native_coverage(`-method_trace_data_file')
}:file_class_set ~{ append getattr ioctl read write map };
neverallow {
@@ -848,7 +842,6 @@
} {
core_data_file_type
-unencrypted_data_file
- -zoneinfo_data_file
with_native_coverage(`-method_trace_data_file')
}:file_class_set ~{ append getattr ioctl read write map };
# vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
@@ -869,7 +862,6 @@
-system_data_root_file
-vendor_userdir_file
-vendor_data_file
- -zoneinfo_data_file
with_native_coverage(`-method_trace_data_file')
}:dir *;
neverallow {
@@ -882,7 +874,6 @@
-system_data_root_file
-vendor_userdir_file
-vendor_data_file
- -zoneinfo_data_file
with_native_coverage(`-method_trace_data_file')
}:dir *;
# vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
diff --git a/public/file.te b/public/file.te
index f0ddb37..b28a106 100644
--- a/public/file.te
+++ b/public/file.te
@@ -450,7 +450,6 @@
type trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type vpn_data_file, file_type, data_file_type, core_data_file_type;
type wifi_data_file, file_type, data_file_type, core_data_file_type;
-type zoneinfo_data_file, file_type, data_file_type, core_data_file_type;
type vold_data_file, file_type, data_file_type, core_data_file_type;
type tee_data_file, file_type, data_file_type;
type update_engine_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/public/hal_configstore.te b/public/hal_configstore.te
index 069da47..29bab48 100644
--- a/public/hal_configstore.te
+++ b/public/hal_configstore.te
@@ -42,7 +42,6 @@
data_file_type
-anr_data_file # for crash dump collection
-tombstone_data_file # for crash dump collection
- -zoneinfo_data_file # granted to domain
with_native_coverage(`-method_trace_data_file')
}:{ file fifo_file sock_file } *;
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index 1315b8f..44786fc 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -67,7 +67,6 @@
# descriptor opened outside the process.
neverallow mediaextractor {
data_file_type
- -zoneinfo_data_file # time zone data from /data/misc/zoneinfo
userdebug_or_eng(`-apk_data_file') # for loading media extractor plugins
with_native_coverage(`-method_trace_data_file')
}:file open;
diff --git a/public/service.te b/public/service.te
index 8dc3e04..2774275 100644
--- a/public/service.te
+++ b/public/service.te
@@ -227,7 +227,6 @@
type telecom_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type thermal_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type timedetector_service, app_api_service, system_server_service, service_manager_type;
-type timezone_service, system_server_service, service_manager_type;
type timezonedetector_service, app_api_service, system_server_service, service_manager_type;
type translation_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type trust_service, app_api_service, system_server_service, service_manager_type;
diff --git a/public/shell.te b/public/shell.te
index 8570260..496061c 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -60,7 +60,6 @@
r_dir_file(shell, system_file)
allow shell system_file:file x_file_perms;
allow shell toolbox_exec:file rx_file_perms;
-allow shell tzdatacheck_exec:file rx_file_perms;
allow shell shell_exec:file rx_file_perms;
allow shell zygote_exec:file rx_file_perms;
diff --git a/public/tzdatacheck.te b/public/tzdatacheck.te
deleted file mode 100644
index cf9b95d..0000000
--- a/public/tzdatacheck.te
+++ /dev/null
@@ -1,18 +0,0 @@
-# The tzdatacheck command run by init.
-type tzdatacheck, domain;
-type tzdatacheck_exec, system_file_type, exec_type, file_type;
-
-allow tzdatacheck zoneinfo_data_file:dir create_dir_perms;
-allow tzdatacheck zoneinfo_data_file:file unlink;
-
-# Below are strong assertion that only init, system_server and tzdatacheck
-# can modify the /data time zone rules directories. This is to make it very
-# clear that only these domains should modify the actual time zone rules data.
-# The tzdatacheck binary itself may be executed by shell for tests but it must
-# not be able to modify the real rules.
-# If other users / binaries could modify time zone rules on device this might
-# have negative implications for users (who may get incorrect local times)
-# or break assumptions made / invalidate data held by the components actually
-# responsible for updating time zone rules.
-neverallow { domain -system_server -init -tzdatacheck } zoneinfo_data_file:file no_w_file_perms;
-neverallow { domain -system_server -init -tzdatacheck } zoneinfo_data_file:dir no_w_dir_perms;