Revert "Add sepolicy for fastbootd"
This reverts commit 0fd3ed3b8ba125ccaef8769a2acfff7d1fd71ebc.
Reason for revert: Broke user builds.
Change-Id: If95f1a25d22425a5a2b68a02d1561352fb5a52f0
diff --git a/private/adbd.te b/private/adbd.te
index 864358a..191c519 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -18,9 +18,6 @@
recovery_only(`
domain_trans(adbd, rootfs, shell)
allow adbd shell:process dyntransition;
-
- # Allows reboot fastboot to enter fastboot directly
- unix_socket_connect(adbd, recovery, recovery)
')
# Do not sanitize the environment or open fds of the shell. Allow signaling
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index d52b41b..5a96107 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -49,7 +49,6 @@
exported3_default_prop
exported3_radio_prop
exported3_system_prop
- fastbootd
fingerprint_vendor_data_file
fs_bpf
hal_audiocontrol_hwservice
@@ -97,7 +96,6 @@
perfetto_traces_data_file
perfprofd_service
property_info
- recovery_socket
secure_element
secure_element_device
secure_element_tmpfs
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 8e5370c..9120694 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -45,7 +45,6 @@
exported_system_radio_prop
exported_vold_prop
exported_wifi_prop
- fastbootd
fingerprint_vendor_data_file
fs_bpf
hal_audiocontrol_hwservice
@@ -84,7 +83,6 @@
perfetto_traces_data_file
perfprofd_service
property_info
- recovery_socket
secure_element
secure_element_device
secure_element_service
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 5386bee..18955b2 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -5,7 +5,6 @@
(typeattributeset new_objects
( activity_task_service
adb_service
- fastbootd
hal_health_filesystem_hwservice
hal_system_suspend_default
hal_system_suspend_default_exec
@@ -15,7 +14,6 @@
llkd_tmpfs
mnt_product_file
overlayfs_file
- recovery_socket
system_lmk_prop
system_suspend_hwservice
time_prop
diff --git a/private/fastbootd.te b/private/fastbootd.te
deleted file mode 100644
index 29a9157..0000000
--- a/private/fastbootd.te
+++ /dev/null
@@ -1 +0,0 @@
-typeattribute fastbootd coredomain;
diff --git a/private/file_contexts b/private/file_contexts
index 0a77f6b..003d66c 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -149,7 +149,6 @@
/dev/socket/pdx/system/vr/display/vsync u:object_r:pdx_display_vsync_endpoint_socket:s0
/dev/socket/property_service u:object_r:property_socket:s0
/dev/socket/racoon u:object_r:racoon_socket:s0
-/dev/socket/recovery u:object_r:recovery_socket:s0
/dev/socket/rild u:object_r:rild_socket:s0
/dev/socket/rild-debug u:object_r:rild_debug_socket:s0
/dev/socket/tombstoned_crash u:object_r:tombstoned_crash_socket:s0
diff --git a/private/init.te b/private/init.te
index 30e5e36..02686a3 100644
--- a/private/init.te
+++ b/private/init.te
@@ -9,7 +9,6 @@
domain_auto_trans(init, e2fs_exec, e2fs)
recovery_only(`
domain_trans(init, rootfs, adbd)
- domain_trans(init, rootfs, fastbootd)
domain_trans(init, rootfs, recovery)
')
domain_trans(init, shell_exec, shell)
diff --git a/public/domain.te b/public/domain.te
index 5b6944d..db2beef 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -557,7 +557,6 @@
domain
-adbd
-dumpstate
- -fastbootd
-hal_drm_server
-hal_cas_server
-init
@@ -592,21 +591,11 @@
-fsck
} metadata_block_device:blk_file { append link rename write open read ioctl lock };
-# No domain other than recovery, update_engine and fastbootd can write to system partition(s).
-neverallow {
- domain
- -fastbootd
- -recovery
- -update_engine
-} system_block_device:blk_file { write append };
+# No domain other than recovery and update_engine can write to system partition(s).
+neverallow { domain -recovery -update_engine } system_block_device:blk_file { write append };
-# No domains other than install_recovery, recovery or fastbootd can write to recovery.
-neverallow {
- domain
- -fastbootd
- -install_recovery
- -recovery
-} recovery_block_device:blk_file { write append };
+# No domains other than install_recovery or recovery can write to recovery.
+neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file { write append };
# No domains other than a select few can access the misc_block_device. This
# block device is reserved for OTA use.
diff --git a/public/fastbootd.te b/public/fastbootd.te
deleted file mode 100644
index 82ae47b..0000000
--- a/public/fastbootd.te
+++ /dev/null
@@ -1,59 +0,0 @@
-# fastbootd (used in recovery init.rc for /sbin/fastbootd)
-
-# Declare the domain unconditionally so we can always reference it
-# in neverallow rules.
-type fastbootd, domain;
-
-# But the allow rules are only included in the recovery policy.
-# Otherwise fastbootd is only allowed the domain rules.
-recovery_only(`
- # fastbootd can only use HALs in passthrough mode
- passthrough_hal_client_domain(fastbootd, hal_bootctl)
-
- # Access /dev/usb-ffs/fastbootd/ep0
- allow fastbootd functionfs:dir search;
- allow fastbootd functionfs:file rw_file_perms;
-
- # Log to serial
- allow fastbootd kmsg_device:chr_file { open write };
-
- # battery info
- allow fastbootd sysfs_batteryinfo:file r_file_perms;
-
- allow fastbootd device:dir r_dir_perms;
-
- # Reboot the device
- set_prop(fastbootd, powerctl_prop)
-
- # Read serial number of the device from system properties
- get_prop(fastbootd, serialno_prop)
-
- # Set sys.usb.ffs.ready.
- set_prop(fastbootd, ffs_prop)
- set_prop(fastbootd, exported_ffs_prop)
-
- unix_socket_connect(fastbootd, recovery, recovery)
-
- # Required for flashing
- allow fastbootd dm_device:chr_file rw_file_perms;
- allow fastbootd dm_device:blk_file rw_file_perms;
-
- allow fastbootd system_block_device:blk_file rw_file_perms;
- allow fastbootd boot_block_device:blk_file rw_file_perms;
-
- allow fastbootd misc_block_device:blk_file rw_file_perms;
-
- allow fastbootd proc_cmdline:file r_file_perms;
- allow fastbootd rootfs:dir r_dir_perms;
- allow fastbootd sysfs_dt_firmware_android:file r_file_perms;
-')
-
-###
-### neverallow rules
-###
-
-# Write permission is required to wipe userdata
-# until recovery supports vold.
-neverallow fastbootd {
- data_file_type
-}:file { no_x_file_perms };
diff --git a/public/file.te b/public/file.te
index 4b0dc2d..75d1edc 100644
--- a/public/file.te
+++ b/public/file.te
@@ -342,7 +342,6 @@
type netd_socket, file_type, coredomain_socket;
type property_socket, file_type, coredomain_socket, mlstrustedobject;
type racoon_socket, file_type, coredomain_socket;
-type recovery_socket, file_type, coredomain_socket;
type rild_socket, file_type;
type rild_debug_socket, file_type;
type system_wpa_socket, file_type, data_file_type, core_data_file_type, coredomain_socket;
diff --git a/public/recovery.te b/public/recovery.te
index 317cf32..dcec970 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -118,10 +118,6 @@
set_prop(recovery, ffs_prop)
set_prop(recovery, exported_ffs_prop)
- # Set sys.usb.config when switching into fastboot.
- set_prop(recovery, system_radio_prop)
- set_prop(recovery, exported_system_radio_prop)
-
# Read ro.boot.bootreason
get_prop(recovery, bootloader_boot_reason_prop)