sepolicy: remove ashmemd
Bug: 139855428
Test: m selinux_policy
Change-Id: I8d7f66b16be025f7cb9c5269fae6fd7540c2fdc9
diff --git a/private/app_zygote.te b/private/app_zygote.te
index fe7ded3..c111ac8 100644
--- a/private/app_zygote.te
+++ b/private/app_zygote.te
@@ -103,7 +103,6 @@
neverallow app_zygote {
service_manager_type
-activity_service
- -ashmem_device_service
-webviewupdate_service
}:service_manager find;
diff --git a/private/ashmemd.te b/private/ashmemd.te
deleted file mode 100644
index 08df515..0000000
--- a/private/ashmemd.te
+++ /dev/null
@@ -1,9 +0,0 @@
-typeattribute ashmemd coredomain;
-type ashmemd_exec, exec_type, file_type, system_file_type;
-
-init_daemon_domain(ashmemd)
-
-binder_use(ashmemd)
-add_service(ashmemd, ashmem_device_service)
-
-allow ashmemd ashmem_device:chr_file rw_file_perms;
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 19ab79a..6fc86de 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -125,7 +125,6 @@
su_tmpfs
super_block_device
sysfs_fs_f2fs
- system_ashmem_hwservice
system_bootstrap_lib_file
system_event_log_tags_file
system_lmk_prop
diff --git a/private/compat/29.0/29.0.cil b/private/compat/29.0/29.0.cil
index 2079248..5be5c06 100644
--- a/private/compat/29.0/29.0.cil
+++ b/private/compat/29.0/29.0.cil
@@ -1,4 +1,5 @@
;; types removed from current policy
+(type ashmemd)
(type hal_wifi_offload_hwservice)
(type mediacodec_service)
(type perfprofd_data_file)
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 4257087..b4dd7c5 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -19,7 +19,6 @@
linker_prop
ota_metadata_file
art_apex_dir
- system_ashmem_hwservice
system_group_file
system_passwd_file
vendor_apex_file
diff --git a/private/coredomain.te b/private/coredomain.te
index 7ad5856..af91028 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -187,16 +187,3 @@
full_treble_only(`
neverallow coredomain tee_device:chr_file { open read append write ioctl };
')
-
-# Allow access to ashmemd to request /dev/ashmem fds.
-allow {
- coredomain
- -init
- -iorapd
-} ashmem_device_service:service_manager find;
-
-binder_call({
- coredomain
- -init
- -iorapd
-}, ashmemd)
diff --git a/private/file_contexts b/private/file_contexts
index b1b100e..ddeff52 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -186,7 +186,6 @@
/system/lib(64)?(/.*)? u:object_r:system_lib_file:s0
/system/lib(64)?/bootstrap(/.*)? u:object_r:system_bootstrap_lib_file:s0
/system/bin/atrace u:object_r:atrace_exec:s0
-/system/bin/ashmemd u:object_r:ashmemd_exec:s0
/system/bin/auditctl u:object_r:auditctl_exec:s0
/system/bin/bcc u:object_r:rs_exec:s0
/system/bin/blank_screen u:object_r:blank_screen_exec:s0
diff --git a/private/hal_allocator_default.te b/private/hal_allocator_default.te
index 9dbe923..7aa28aa 100644
--- a/private/hal_allocator_default.te
+++ b/private/hal_allocator_default.te
@@ -3,6 +3,3 @@
type hal_allocator_default_exec, system_file_type, exec_type, file_type;
init_daemon_domain(hal_allocator_default)
-
-# To talk to ashmemd
-binder_use(hal_allocator_default)
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index 27fca1f..d72231b 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -79,7 +79,6 @@
android.hidl.manager::IServiceManager u:object_r:hidl_manager_hwservice:s0
android.hidl.memory::IMapper u:object_r:hidl_memory_hwservice:s0
android.hidl.token::ITokenManager u:object_r:hidl_token_hwservice:s0
-android.system.ashmem::IAshmem u:object_r:system_ashmem_hwservice:s0
android.system.net.netd::INetd u:object_r:system_net_netd_hwservice:s0
android.system.suspend::ISystemSuspend u:object_r:system_suspend_hwservice:s0
android.system.wifi.keystore::IKeystore u:object_r:system_wifi_keystore_hwservice:s0
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 94b49b0..50cbd8c 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -92,12 +92,10 @@
# b/17487348
# Isolated apps can only access three services,
-# activity_service, display_service, webviewupdate_service, and
-# ashmem_device_service.
+# activity_service, display_service, webviewupdate_service.
neverallow isolated_app {
service_manager_type
-activity_service
- -ashmem_device_service
-display_service
-webviewupdate_service
}:service_manager find;
diff --git a/private/service.te b/private/service.te
index 08133ed..7ac7988 100644
--- a/private/service.te
+++ b/private/service.te
@@ -1,4 +1,3 @@
-type ashmem_device_service, app_api_service, service_manager_type;
type attention_service, system_server_service, service_manager_type;
type dynamic_system_service, system_api_service, system_server_service, service_manager_type;
type gsi_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index 6cb59e8..2f2f4c7 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -10,7 +10,6 @@
app_binding u:object_r:app_binding_service:s0
app_prediction u:object_r:app_prediction_service:s0
apexservice u:object_r:apex_service:s0
-ashmem_device_service u:object_r:ashmem_device_service:s0
gsiservice u:object_r:gsi_service:s0
appops u:object_r:appops_service:s0
appwidget u:object_r:appwidget_service:s0
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index fd605c7..249c33b 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -177,6 +177,5 @@
allowxperm untrusted_app_all debugfs_kcov:file ioctl { KCOV_INIT_TRACE KCOV_ENABLE KCOV_DISABLE };
')
-# Allow access to ashmemd to request /dev/ashmem fds.
-binder_call(untrusted_app_all, ashmemd)
+# Allow (rw_file_perms - open) access to /dev/ashmem.
allow untrusted_app_all ashmem_device:chr_file { getattr read ioctl lock map append write };
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index 2f5007a..8fe9733 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -113,7 +113,6 @@
neverallow webview_zygote {
service_manager_type
-activity_service
- -ashmem_device_service
-webviewupdate_service
}:service_manager find;
diff --git a/public/app.te b/public/app.te
index b523ad6..17b7852 100644
--- a/public/app.te
+++ b/public/app.te
@@ -357,9 +357,6 @@
allow appdomain system_server_tmpfs:file { getattr map read write };
allow appdomain zygote_tmpfs:file { map read };
-# Allow vendor apps access to ashmem_server to request /dev/ashmem fds.
-binder_call({ appdomain -coredomain }, ashmem_server)
-
###
### Neverallow rules
###
diff --git a/public/ashmem_server.te b/public/ashmem_server.te
deleted file mode 100644
index e36a987..0000000
--- a/public/ashmem_server.te
+++ /dev/null
@@ -1,3 +0,0 @@
-hwbinder_use(ashmem_server)
-get_prop(ashmem_server, hwservicemanager_prop)
-add_hwservice(ashmem_server, system_ashmem_hwservice)
diff --git a/public/ashmemd.te b/public/ashmemd.te
deleted file mode 100644
index 9ead477..0000000
--- a/public/ashmemd.te
+++ /dev/null
@@ -1,3 +0,0 @@
-# TODO(b/133869224): Make private once ashmemd
-# is cleaned up from vendor sepolicy.
-type ashmemd, domain, ashmem_server;
diff --git a/public/attributes b/public/attributes
index da4cd3f..b600ea4 100644
--- a/public/attributes
+++ b/public/attributes
@@ -351,7 +351,6 @@
# from one core domain to another, without having to update the vendor image
# which contains clients of this service.
-attribute ashmem_server;
attribute camera_service_server;
attribute display_service_server;
attribute scheduler_service_server;
diff --git a/public/domain.te b/public/domain.te
index 8af3086..79a9ed4 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -72,7 +72,7 @@
allow domain zero_device:chr_file rw_file_perms;
allow {
domain
- # TODO(b/113362644): route coredomain to ashmemd
+ # TODO(b/113362644): route coredomain to libcutils.
#-coredomain
-mediaprovider
-ephemeral_app
@@ -83,14 +83,6 @@
# This device is used by libcutils.
allow domain ashmem_libcutils_device:chr_file rw_file_perms;
-# Allow using fds to /dev/ashmem.
-allow domain ashmem_server:fd use;
-
-# Allow vendor hals to access IAshmem
-# TODO(b/134783601): Change to a whitelist.
-allow { domain -coredomain -appdomain } system_ashmem_hwservice:hwservice_manager find;
-allow { domain -coredomain -appdomain } ashmem_server: binder call;
-
# /dev/binder can be accessed by ... everyone! :)
allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;
diff --git a/public/hwservice.te b/public/hwservice.te
index e8d4b1b..3276002 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -56,7 +56,6 @@
type hal_wifi_hwservice, hwservice_manager_type, protected_hwservice;
type hal_wifi_offload_hwservice, hwservice_manager_type, protected_hwservice;
type hal_wifi_supplicant_hwservice, hwservice_manager_type, protected_hwservice;
-type system_ashmem_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
type system_net_netd_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
type system_suspend_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
type system_wifi_keystore_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
diff --git a/public/installd.te b/public/installd.te
index 0465582..40b151e 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -171,7 +171,6 @@
neverallow { domain -system_server -dumpstate } installd:binder call;
neverallow installd {
domain
- -ashmem_server
-system_server
-servicemanager
userdebug_or_eng(`-su')
diff --git a/public/vold.te b/public/vold.te
index f4a6259..9568c48 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -305,7 +305,6 @@
neverallow vold {
domain
- -ashmem_server
-hal_health_storage_server
-hal_keymaster_server
-system_suspend_server