Iorapd and friends have been removed
Remove references in sepolicy. Leave a few of the types defined since
they're public and may be used in device-specific policy.
Bug: 211461392
Test: build/boot cuttlefish
Change-Id: I615137b92b82b744628ab9b7959ae5ff28001169
diff --git a/private/atrace.te b/private/atrace.te
index ca0e527..50ab392 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -31,7 +31,6 @@
-dumpstate_service
-incident_service
-installd_service
- -iorapd_service
-lpdump_service
-mdns_service
-netd_service
diff --git a/private/compat/33.0/33.0.cil b/private/compat/33.0/33.0.cil
index 4439277..3a096be 100644
--- a/private/compat/33.0/33.0.cil
+++ b/private/compat/33.0/33.0.cil
@@ -1,3 +1,16 @@
+;; types removed from current policy
+(type iorap_inode2filename)
+(type iorap_inode2filename_exec)
+(type iorap_inode2filename_tmpfs)
+(type iorap_prefetcherd)
+(type iorap_prefetcherd_exec)
+(type iorap_prefetcherd_tmpfs)
+(type iorapd)
+(type iorapd_data_file)
+(type iorapd_exec)
+(type iorapd_service)
+(type iorapd_tmpfs)
+
(expandtypeattribute (DockObserver_service_33_0) true)
(expandtypeattribute (IProxyService_service_33_0) true)
(expandtypeattribute (aac_drc_prop_33_0) true)
diff --git a/private/coredomain.te b/private/coredomain.te
index e4c9a52..56e1730 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -91,8 +91,6 @@
-idmap
-init
-installd
- -iorap_inode2filename
- -iorap_prefetcherd
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
-system_server
@@ -111,8 +109,6 @@
-idmap
-init
-installd
- -iorap_inode2filename
- -iorap_prefetcherd
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
-system_server
diff --git a/private/domain.te b/private/domain.te
index f95df34..5f369e3 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -181,8 +181,6 @@
-app_zygote
-dexoptanalyzer
-installd
- -iorap_inode2filename
- -iorap_prefetcherd
-profman
-rs # spawned by appdomain, so carryover the exception above
-runas
@@ -205,7 +203,6 @@
-appdomain
-app_zygote
-installd
- -iorap_prefetcherd
-rs # spawned by appdomain, so carryover the exception above
} { privapp_data_file app_data_file }:file_class_set open;
@@ -230,7 +227,6 @@
-system_server
-apexd
-installd
- -iorap_inode2filename
-priv_app
-virtualizationservice
} staging_data_file:dir *;
@@ -243,7 +239,6 @@
-adbd
-kernel
-installd
- -iorap_inode2filename
-priv_app
-shell
-virtualizationservice
@@ -273,7 +268,6 @@
domain
-appdomain
with_asan(`-asan_extract')
- -iorap_prefetcherd
-shell
userdebug_or_eng(`-su')
-system_server_startup # for memfd backed executable regions
@@ -394,8 +388,6 @@
# this list should be a superset of the one above.
neverallow ~{
dac_override_allowed
- iorap_inode2filename
- iorap_prefetcherd
traced_perf
traced_probes
heapprofd
@@ -475,8 +467,6 @@
-heapprofd
userdebug_or_eng(`-profcollectd')
-init
- -iorap_inode2filename
- -iorap_prefetcherd
-kernel
userdebug_or_eng(`-simpleperf_boot')
-traced_perf
@@ -514,8 +504,6 @@
-crash_dump
-crosvm # loads vendor-specific disk images
-init # starts vendor executables
- -iorap_inode2filename
- -iorap_prefetcherd
-kernel # loads /vendor/firmware
-heapprofd
userdebug_or_eng(`-profcollectd')
@@ -619,7 +607,6 @@
-appdomain # finer-grained rules for appdomain are listed below
-system_server #populate com.android.providers.settings/databases/settings.db.
-installd # creation of app sandbox
- -iorap_inode2filename
-traced_probes # resolve inodes for i/o tracing.
# only needs open and read, the rest is neverallow in
# traced_probes.te.
diff --git a/private/file_contexts b/private/file_contexts
index 0c45a88..addbb13 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -323,9 +323,6 @@
/system/bin/preloads_copy\.sh u:object_r:preloads_copy_exec:s0
/system/bin/preopt2cachename u:object_r:preopt2cachename_exec:s0
/system/bin/viewcompiler u:object_r:viewcompiler_exec:s0
-/system/bin/iorapd u:object_r:iorapd_exec:s0
-/system/bin/iorap\.inode2filename u:object_r:iorap_inode2filename_exec:s0
-/system/bin/iorap\.prefetcherd u:object_r:iorap_prefetcherd_exec:s0
/system/bin/sgdisk u:object_r:sgdisk_exec:s0
/system/bin/blkid u:object_r:blkid_exec:s0
/system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
@@ -658,7 +655,6 @@
/data/misc/wifi/sockets/wpa_ctrl.* u:object_r:system_wpa_socket:s0
/data/misc/zoneinfo(/.*)? u:object_r:zoneinfo_data_file:s0
/data/misc/vold(/.*)? u:object_r:vold_data_file:s0
-/data/misc/iorapd(/.*)? u:object_r:iorapd_data_file:s0
/data/misc/update_engine(/.*)? u:object_r:update_engine_data_file:s0
/data/misc/update_engine_log(/.*)? u:object_r:update_engine_log_data_file:s0
/data/system/dropbox(/.*)? u:object_r:dropbox_data_file:s0
@@ -779,9 +775,6 @@
/data/misc_de/[0-9]+/vold(/.*)? u:object_r:vold_data_file:s0
/data/misc_ce/[0-9]+/vold(/.*)? u:object_r:vold_data_file:s0
-# iorapd per-user data
-/data/misc_ce/[0-9]+/iorapd(/.*)? u:object_r:iorapd_data_file:s0
-
# Backup service persistent per-user bookkeeping
/data/system_ce/[0-9]+/backup(/.*)? u:object_r:backup_data_file:s0
# Backup service temporary per-user data for inter-change with apps
diff --git a/private/iorap_inode2filename.te b/private/iorap_inode2filename.te
deleted file mode 100644
index 5acb262..0000000
--- a/private/iorap_inode2filename.te
+++ /dev/null
@@ -1,11 +0,0 @@
-typeattribute iorap_inode2filename coredomain;
-
-# Grant access to open most of the files under /
-allow iorap_inode2filename { apex_module_data_file apex_art_data_file }:dir r_dir_perms;
-allow iorap_inode2filename apex_data_file:file { getattr };
-allow iorap_inode2filename dalvikcache_data_file:dir { getattr open read search };
-allow iorap_inode2filename dalvikcache_data_file:file { getattr };
-allow iorap_inode2filename dex2oat_exec:lnk_file { getattr open read };
-allow iorap_inode2filename dexoptanalyzer_exec:file { getattr };
-allow iorap_inode2filename storaged_data_file:dir { getattr open read search };
-allow iorap_inode2filename storaged_data_file:file { getattr };
diff --git a/private/iorap_prefecherd.te b/private/iorap_prefecherd.te
deleted file mode 100644
index 9ddb512..0000000
--- a/private/iorap_prefecherd.te
+++ /dev/null
@@ -1,4 +0,0 @@
-typeattribute iorap_prefetcherd coredomain;
-
-init_daemon_domain(iorap_prefetcherd)
-tmpfs_domain(iorap_prefetcherd)
diff --git a/private/iorapd.te b/private/iorapd.te
deleted file mode 100644
index 73acec9..0000000
--- a/private/iorapd.te
+++ /dev/null
@@ -1,10 +0,0 @@
-typeattribute iorapd coredomain;
-
-init_daemon_domain(iorapd)
-tmpfs_domain(iorapd)
-
-domain_auto_trans(iorapd, iorap_prefetcherd_exec, iorap_prefetcherd)
-domain_auto_trans(iorapd, iorap_inode2filename_exec, iorap_inode2filename)
-
-# Allow iorapd to access the runtime native boot feature flag properties.
-get_prop(iorapd, device_config_runtime_native_boot_prop)
diff --git a/private/mlstrustedsubject.te b/private/mlstrustedsubject.te
index 22482d9..0aed4d3 100644
--- a/private/mlstrustedsubject.te
+++ b/private/mlstrustedsubject.te
@@ -7,22 +7,16 @@
neverallow {
mlstrustedsubject
-installd
- -iorap_prefetcherd
- -iorap_inode2filename
} { app_data_file privapp_data_file }:file ~{ read write map getattr ioctl lock append };
neverallow {
mlstrustedsubject
-installd
- -iorap_prefetcherd
- -iorap_inode2filename
} { app_data_file privapp_data_file }:dir ~{ read getattr search };
neverallow {
mlstrustedsubject
-installd
- -iorap_prefetcherd
- -iorap_inode2filename
-system_server
-adbd
-runas
diff --git a/private/service_contexts b/private/service_contexts
index 0869b0f..1094151 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -197,7 +197,6 @@
input_method u:object_r:input_method_service:s0
input u:object_r:input_service:s0
installd u:object_r:installd_service:s0
-iorapd u:object_r:iorapd_service:s0
iphonesubinfo_msim u:object_r:radio_service:s0
iphonesubinfo2 u:object_r:radio_service:s0
iphonesubinfo u:object_r:radio_service:s0
diff --git a/private/system_app.te b/private/system_app.te
index 01956f4..4888072 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -87,7 +87,6 @@
-dnsresolver_service
-dumpstate_service
-installd_service
- -iorapd_service
-lpdump_service
-mdns_service
-netd_service
@@ -103,7 +102,6 @@
dnsresolver_service
dumpstate_service
installd_service
- iorapd_service
mdns_service
netd_service
virtual_touchpad_service
diff --git a/private/system_server.te b/private/system_server.te
index e77ba5d..78817b1 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -287,7 +287,6 @@
binder_call(system_server, idmap)
binder_call(system_server, installd)
binder_call(system_server, incidentd)
-binder_call(system_server, iorapd)
binder_call(system_server, netd)
userdebug_or_eng(`binder_call(system_server, profcollectd)')
binder_call(system_server, statsd)
@@ -903,7 +902,6 @@
allow system_server incident_service:service_manager find;
allow system_server incremental_service:service_manager find;
allow system_server installd_service:service_manager find;
-allow system_server iorapd_service:service_manager find;
allow system_server keystore_maintenance_service:service_manager find;
allow system_server keystore_metrics_service:service_manager find;
allow system_server keystore_service:service_manager find;
diff --git a/private/traced.te b/private/traced.te
index ec31a20..6810c35 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -1,7 +1,4 @@
# Perfetto user-space tracing daemon (unprivileged)
-
-# type traced is defined under /public (because iorapd rules
-# under public/ need to refer to it).
type traced_exec, system_file_type, exec_type, file_type;
# Allow init to exec the daemon.
@@ -41,11 +38,6 @@
binder_use(traced);
binder_call(traced, system_server);
-# Allow iorapd to pass memfd descriptors to traced, so traced can directly
-# write into the shmem buffer file without doing roundtrips over IPC.
-allow traced iorapd:fd use;
-allow traced iorapd_tmpfs:file { read write };
-
# Allow traced to use shared memory supplied by producers. Typically, traced
# (i.e. the tracing service) creates the shared memory used for data transfer
# from the producer. This rule allows an alternative scheme, where the producer