Remove microdroid specific rules and files
These are moved to packages/modules/Virtualization.
Bug: 189165759
Test: boot device and microdroid
Test: atest MicrodroidHostTestCases
Change-Id: I050add7fef56ced4787117f338e7b5d1fda1c193
diff --git a/Android.bp b/Android.bp
index 3afa1d1..a43a689 100644
--- a/Android.bp
+++ b/Android.bp
@@ -927,63 +927,3 @@
cts: true,
exclude_build_test: true,
}
-
-//////////////////////////////////
-// modules for microdroid
-//////////////////////////////////
-
-// microdroid's system sepolicy is almost identical to host's system sepolicy, except that
-// microdroid doesn't have system_ext and product. So microdroid's plat_pub_versioned.cil is
-// generated with plat_pub_policy.cil (exported system), not pub_policy.cil (exported system +
-// system_ext + product). Other two files, plat_sepolicy.cil and plat_mapping_file, are copied from
-// host's files.
-se_versioned_policy {
- name: "microdroid_plat_pub_versioned.cil",
- stem: "plat_pub_versioned.cil",
- base: ":plat_pub_policy.cil",
- target_policy: ":plat_pub_policy.cil",
- version: "current",
- dependent_cils: [
- ":plat_sepolicy.cil",
- ":plat_mapping_file",
- ],
- installable: false,
-}
-
-// microdroid's vendor sepolicy is a minimalized sepolicy needed for microdroid to boot. It just
-// contains system/sepolicy/public and system/sepolicy/vendor.
-se_policy_conf {
- name: "microdroid_vendor_sepolicy.conf",
- srcs: [":se_build_files{.plat_vendor}"],
- installable: false,
-}
-
-se_policy_cil {
- name: "microdroid_vendor_sepolicy.cil.raw",
- src: ":microdroid_vendor_sepolicy.conf",
- filter_out: [":reqd_policy_mask.cil"],
- secilc_check: false, // will be done in se_versioned_policy module
- installable: false,
-}
-
-se_versioned_policy {
- name: "microdroid_vendor_sepolicy.cil",
- stem: "vendor_sepolicy.cil",
- base: ":plat_pub_policy.cil",
- target_policy: ":microdroid_vendor_sepolicy.cil.raw",
- version: "current", // microdroid is bundled to system
- dependent_cils: [
- ":plat_sepolicy.cil",
- ":microdroid_plat_pub_versioned.cil",
- ":plat_mapping_file",
- ],
- filter_out: [":microdroid_plat_pub_versioned.cil"],
- installable: false,
-}
-
-sepolicy_vers {
- name: "microdroid_plat_sepolicy_vers.txt",
- version: "platform",
- stem: "plat_sepolicy_vers.txt",
- installable: false,
-}
diff --git a/private/domain.te b/private/domain.te
index 13cf988..b91d36d 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -216,7 +216,6 @@
-appdomain # for oemfs
-bootanim # for oemfs
-recovery # for /tmp/update_binary in tmpfs
- userdebug_or_eng(`-microdroid_launcher -microdroid_manager') # for executing shared libs on /mnt/apk in Microdroid
} { fs_type -rootfs }:file execute;
#
@@ -368,7 +367,6 @@
-update_engine
-vold
-zygote
- -zipfuse
} { fs_type
-sdcard_type
}:filesystem { mount remount relabelfrom relabelto };
diff --git a/private/fsck.te b/private/fsck.te
index c2eb25b..f8e09b6 100644
--- a/private/fsck.te
+++ b/private/fsck.te
@@ -3,8 +3,3 @@
init_daemon_domain(fsck)
allow fsck metadata_block_device:blk_file rw_file_perms;
-
-# TODO(b/189165759): move this to microdroid specific sepolicy
-userdebug_or_eng(`
- allow fsck vd_device:blk_file rw_file_perms;
-')
diff --git a/private/microdroid_launcher.te b/private/microdroid_launcher.te
deleted file mode 100644
index 5983cb7..0000000
--- a/private/microdroid_launcher.te
+++ /dev/null
@@ -1,31 +0,0 @@
-# microdroid_launcher is a binary that loads a shared library from an apk and
-# executes it by calling an entry point in the library. This can be considered
-# as the native counterpart of app_process for Java.
-
-type microdroid_launcher, domain, coredomain;
-type microdroid_launcher_exec, exec_type, file_type, system_file_type;
-
-# allow executing files on the zipfuse fs
-# TODO(b/188400186) uncomment the below when the zipfuse is mounted with
-# fscontext=u:object_r:zipfusefs:s0
-# allow microdroid_launcher zipfusefs:dir r_dir_perms;
-# allow microdroid_launcher zipfusefs:file rx_file_perms;
-# TODO(b/188400186) remove the below two rules
-userdebug_or_eng(`
- allow microdroid_launcher fuse:dir r_dir_perms;
- allow microdroid_launcher fuse:file rx_file_perms;
-')
-
-# Allow to communicate use, read and write over the adb connection.
-allow microdroid_launcher adbd:fd use;
-allow microdroid_launcher adbd:unix_stream_socket { read write };
-
-# Allow to use FDs inherited from the shell. This includes the FD opened for
-# the microdroid_launcher executable itself and the FD for adb connection.
-# TODO(b/186396070) remove this when this is executed from microdroid_manager
-userdebug_or_eng(`
- allow microdroid_launcher shell:fd use;
-')
-
-# Allow to use terminal
-allow microdroid_launcher devpts:chr_file rw_file_perms;
diff --git a/private/microdroid_manager.te b/private/microdroid_manager.te
deleted file mode 100644
index b1e4d75..0000000
--- a/private/microdroid_manager.te
+++ /dev/null
@@ -1,30 +0,0 @@
-# TODO(b/189165759) for moving this to packages/modules/Virtualization
-# microdroid_manager is a daemon running in the microdroid.
-
-type microdroid_manager, domain, coredomain;
-type microdroid_manager_exec, exec_type, file_type, system_file_type;
-
-# allow domain transition from init
-init_daemon_domain(microdroid_manager)
-
-# microdroid_manager accesses /dev/block/by-name/signature which points to
-# a /dev/vd* block device file.
-allow microdroid_manager block_device:dir r_dir_perms;
-allow microdroid_manager block_device:lnk_file r_file_perms;
-allow microdroid_manager vd_device:blk_file r_file_perms;
-
-# microdroid_manager start payload task via microdroid_launcher
-domain_auto_trans(microdroid_manager, microdroid_launcher_exec, microdroid_launcher);
-
-# Let microdroid_manager exec other files (e.g. payload command) in the same domain.
-# TODO(b/189706019) we need to a domain for the app process.
-allow microdroid_manager system_file:file execute_no_trans;
-# Until then, allow microdroid_manager to execute the shell or other system executables.
-allow microdroid_manager {shell_exec toolbox_exec}:file rx_file_perms;
-
-# Let microdroid_manager read a config file from /mnt/apk (fusefs)
-# TODO(b/188400186) remove the below two rules
-userdebug_or_eng(`
- allow microdroid_manager fuse:dir r_dir_perms;
- allow microdroid_manager fuse:file rx_file_perms;
-')
diff --git a/private/shell.te b/private/shell.te
index 7c786c9..5831d54 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -191,11 +191,6 @@
# Allow shell to read Virtual A/B related properties
get_prop(shell, virtual_ab_prop)
-# Allow shell to launch microdroid_launcher in its own domain
-# TODO(b/186396070) remove this when microdroid_manager can do this
-domain_auto_trans(shell, microdroid_launcher_exec, microdroid_launcher)
-domain_auto_trans(shell, microdroid_manager_exec, microdroid_manager)
-
# Never allow others to set or get the perf.drop_caches property.
neverallow { domain -shell -init } perf_drop_caches_prop:property_service set;
neverallow { domain -shell -init -dumpstate } perf_drop_caches_prop:file read;
diff --git a/private/zipfuse.te b/private/zipfuse.te
deleted file mode 100644
index 9d5faad..0000000
--- a/private/zipfuse.te
+++ /dev/null
@@ -1,34 +0,0 @@
-# zipfuse is a FUSE daemon running in the microdroid. It mounts
-# /dev/block/by-name/microdroid-apk whose content is from an apk file on
-# /mnt/apk so that the entries in the apk file are seen as regular files. See
-# packages/modules/Virtualization/zipfuse.
-
-type zipfuse, domain, coredomain;
-type zipfuse_exec, exec_type, file_type, system_file_type;
-
-# allow domain transition from init
-init_daemon_domain(zipfuse)
-
-# allow basic rules to implement FUSE
-allow zipfuse fuse_device:chr_file rw_file_perms;
-allow zipfuse self:global_capability_class_set sys_admin;
-
-# allow access to /dev/vd* block device files and also access to the symlinks
-# /dev/block/by-name/*
-allow zipfuse block_device:dir r_dir_perms;
-allow zipfuse block_device:lnk_file r_file_perms;
-allow zipfuse vd_device:blk_file r_file_perms;
-
-# allow mounting on /mnt/apk
-allow zipfuse tmpfs:dir mounton;
-
-# TODO(b/188400186) uncomment the following when this filesystem is mounted with
-# fscontext=u:object_r:zipfusefs:s0
-# type zipfusefs, fs_type, contextmount_type;
-# allow zipfuse fuse:filesystem relabelfrom;
-# allow zipfuse zipfusefs:filesystem { mount relabelfrom relabelto };
-
-# TODO(b/188400186) remove this when this filesystem is mounted with correct fcontext
-userdebug_or_eng(`
- allow zipfuse fuse:filesystem mount;
-')
diff --git a/public/e2fs.te b/public/e2fs.te
index 6eeb7ea..dd5bd69 100644
--- a/public/e2fs.te
+++ b/public/e2fs.te
@@ -12,15 +12,6 @@
BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET
};
-# Allow e2fs to format /dev/block/vd*
-# TODO(b/189165759) move this rule to packages/modules/Virtualization
-userdebug_or_eng(`
-allow e2fs vd_device:blk_file rw_file_perms;
-allowxperm e2fs vd_device:blk_file ioctl {
- BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET
-};
-')
-
allow e2fs {
proc_filesystems
proc_mounts