sepolicy: remove all remaining qtaguid stuff.
We've required kernel bpf support (instead of xt_qtaguid)
since Android S, somewhere around Android T/U things actually
started malfunctioning if qtaguid was even enabled in the
kernel (due to it outright replacing the 'xt_owner' netfilter
module, in a not quite backward compatible way).
After this change:
cd system/sepolicy
git grep qtaguid | egrep -v prebuilts/ | egrep -v compat/[23]
now comes up empty
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I2b336c7a949b9560237b93ddc5186386263dbcb5
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index 4c8f9cb..a1079c0 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -279,7 +279,6 @@
/dev/video99 video_device
/dev/vndbinder vndbinder_device
/dev/watchdog watchdog_device
-/dev/xt_qtaguid qtaguid_device
/dev/zero zero_device
/dev/__properties__ properties_device
/dev/__properties__/property_info property_info
diff --git a/microdroid/system/private/genfs_contexts b/microdroid/system/private/genfs_contexts
index 8938ef2..2ba6a15 100644
--- a/microdroid/system/private/genfs_contexts
+++ b/microdroid/system/private/genfs_contexts
@@ -27,8 +27,6 @@
genfscon proc /net u:object_r:proc_net:s0
genfscon proc /net/tcp u:object_r:proc_net_tcp_udp:s0
genfscon proc /net/udp u:object_r:proc_net_tcp_udp:s0
-genfscon proc /net/xt_qtaguid/ctrl u:object_r:proc_qtaguid_ctrl:s0
-genfscon proc /net/xt_qtaguid/ u:object_r:proc_qtaguid_stat:s0
genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
genfscon proc /pagetypeinfo u:object_r:proc_pagetypeinfo:s0
genfscon proc /pressure/cpu u:object_r:proc_pressure_cpu:s0
diff --git a/microdroid/system/private/init.te b/microdroid/system/private/init.te
index 67af209..1a991f6 100644
--- a/microdroid/system/private/init.te
+++ b/microdroid/system/private/init.te
@@ -288,10 +288,8 @@
proc_kmsg
proc_net
proc_pagetypeinfo
- proc_qtaguid_stat
proc_slabinfo
proc_sysrq
- proc_qtaguid_ctrl
proc_vmallocinfo
}:file setattr;
diff --git a/microdroid/system/public/attributes b/microdroid/system/public/attributes
index 5b6f82e..8580c0b 100644
--- a/microdroid/system/public/attributes
+++ b/microdroid/system/public/attributes
@@ -44,7 +44,7 @@
attribute proc_type;
expandattribute proc_type false;
-# Types in /proc/net, excluding qtaguid types.
+# Types in /proc/net.
# TODO(b/9496886) Lock down access to /proc/net.
# This attribute is used to audit access to proc_net. it is temporary and will
# be removed.
diff --git a/microdroid/system/public/file.te b/microdroid/system/public/file.te
index 8d3f76a..1a674ab 100644
--- a/microdroid/system/public/file.te
+++ b/microdroid/system/public/file.te
@@ -116,8 +116,6 @@
type proc_pressure_cpu, fs_type, proc_type;
type proc_pressure_io, fs_type, proc_type;
type proc_pressure_mem, fs_type, proc_type;
-type proc_qtaguid_ctrl, fs_type, proc_type;
-type proc_qtaguid_stat, fs_type, proc_type;
type proc_random, fs_type, proc_type;
type proc_sched, fs_type, proc_type;
type proc_security, fs_type, proc_type;
diff --git a/private/compat/202404/202404.cil b/private/compat/202404/202404.cil
index 869deb6..b6caa7c 100644
--- a/private/compat/202404/202404.cil
+++ b/private/compat/202404/202404.cil
@@ -1,3 +1,9 @@
+;; types removed from current policy
+;; (technically qtaguid is useless since Android S, api=31)
+(type proc_qtaguid_ctrl)
+(type proc_qtaguid_stat)
+(type qtaguid_device)
+
;; This type may or may not already exist in vendor policy. Re-define it here (duplicate
;; definitions in CIL will be ignored) - so we can reference it in 202404.cil.
(type vendor_hidraw_device)
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 20341e4..bdfd7a3 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -403,8 +403,6 @@
proc_net_type
proc_pipe_conf
proc_pagetypeinfo
- proc_qtaguid_ctrl
- proc_qtaguid_stat
proc_slabinfo
proc_version
proc_vmallocinfo
diff --git a/private/file_contexts b/private/file_contexts
index 76f412a..7a503eb 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -219,7 +219,6 @@
/dev/video[0-9]* u:object_r:video_device:s0
/dev/vndbinder u:object_r:vndbinder_device:s0
/dev/watchdog u:object_r:watchdog_device:s0
-/dev/xt_qtaguid u:object_r:qtaguid_device:s0
/dev/zero u:object_r:zero_device:s0
/dev/__properties__ u:object_r:properties_device:s0
/dev/__properties__/appcompat_override u:object_r:properties_device:s0
diff --git a/private/genfs_contexts b/private/genfs_contexts
index de2b139..5b2aaf8 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -27,8 +27,6 @@
genfscon proc /net u:object_r:proc_net:s0
genfscon proc /net/tcp u:object_r:proc_net_tcp_udp:s0
genfscon proc /net/udp u:object_r:proc_net_tcp_udp:s0
-genfscon proc /net/xt_qtaguid/ctrl u:object_r:proc_qtaguid_ctrl:s0
-genfscon proc /net/xt_qtaguid/ u:object_r:proc_qtaguid_stat:s0
genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
genfscon proc /pagetypeinfo u:object_r:proc_pagetypeinfo:s0
genfscon proc /pressure/cpu u:object_r:proc_pressure_cpu:s0
diff --git a/private/init.te b/private/init.te
index e4bafd8..cca5900 100644
--- a/private/init.te
+++ b/private/init.te
@@ -557,10 +557,8 @@
proc_kmsg
proc_net
proc_pagetypeinfo
- proc_qtaguid_stat
proc_slabinfo
proc_sysrq
- proc_qtaguid_ctrl
proc_vmallocinfo
}:file setattr;
diff --git a/private/system_server.te b/private/system_server.te
index 1c9f732..aff3cb6 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1179,7 +1179,6 @@
r_dir_file(system_server, proc_asound)
r_dir_file(system_server, proc_net_type)
-r_dir_file(system_server, proc_qtaguid_stat)
allow system_server {
proc_cmdline
proc_loadavg
diff --git a/public/attributes b/public/attributes
index 759b773..e78eaa8 100644
--- a/public/attributes
+++ b/public/attributes
@@ -61,7 +61,7 @@
attribute proc_type;
expandattribute proc_type false;
-# Types in /proc/net, excluding qtaguid types.
+# Types in /proc/net.
# TODO(b/9496886) Lock down access to /proc/net.
# This attribute is used to audit access to proc_net. it is temporary and will
# be removed.
diff --git a/public/device.te b/public/device.te
index beafdf2..0a8d6e8 100644
--- a/public/device.te
+++ b/public/device.te
@@ -52,7 +52,6 @@
type dmabuf_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject;
type dmabuf_system_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject, isolated_compute_allowed_device;
type dmabuf_system_secure_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject;
-type qtaguid_device, dev_type;
type watchdog_device, dev_type;
type uhid_device, dev_type, mlstrustedobject;
type uio_device, dev_type;
diff --git a/public/file.te b/public/file.te
index b28ca85..067dda3 100644
--- a/public/file.te
+++ b/public/file.te
@@ -31,8 +31,6 @@
# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
type usermodehelper, fs_type, proc_type;
type sysfs_usermodehelper, fs_type, sysfs_type;
-type proc_qtaguid_ctrl, fs_type, mlstrustedobject, proc_type;
-type proc_qtaguid_stat, fs_type, mlstrustedobject, proc_type;
type proc_bluetooth_writable, fs_type, proc_type;
type proc_abi, fs_type, proc_type;
type proc_asound, fs_type, proc_type;