Revert "Fix CTS regressions" This reverts commit ed876a5e969ce89d9887cc19a97aadbaf5118e4a. Fixes user builds. libsepol.report_failure: neverallow on line 513 of system/sepolicy/public/domain.te (or line 9149 of policy.conf) violated by allow update_verifier misc_block_device:blk_file { ioctl read write lock append open }; libsepol.check_assertions: 1 neverallow failures occurred Error while expanding policy Bug: 69566734 Test: build taimen-user Change-Id: I969b7539dce547f020918ddc3e17208fc98385c4

commit: cd69bebf7646fd1fb9a2c378d7a3ccc80a00d450 [log] [tgz]
author: Jeffrey Vander Stoep <jeffv@google.com> Tue Nov 21 20:25:37 2017 +0000
committer: Jeffrey Vander Stoep <jeffv@google.com> Tue Nov 21 20:27:47 2017 +0000
tree: eac3c8ec79198a10ead0bdb82ccf61ff911df614
parent: ed876a5e969ce89d9887cc19a97aadbaf5118e4a [diff]
diff --git a/public/domain.te b/public/domain.te
index 91cf8ca..f4d5c68 100644
--- a/public/domain.te
+++ b/public/domain.te

@@ -462,8 +462,8 @@
   domain
   -adbd
   -dumpstate
-  -hal_drm_server
-  -hal_cas_server
+  -hal_drm
+  -hal_cas
   -init
   -mediadrmserver
   -recovery
@@ -503,7 +503,7 @@
 neverallow {
   domain
   userdebug_or_eng(`-domain') # exclude debuggable builds
-  -hal_bootctl_server
+  -hal_bootctl
   -init
   -uncrypt
   -update_engine

diff --git a/public/hal_audio.te b/public/hal_audio.te
index dd7b140..0665e26 100644
--- a/public/hal_audio.te
+++ b/public/hal_audio.te

@@ -23,11 +23,11 @@
 ###
 
 # Should never execute any executable without a domain transition
-neverallow hal_audio_server { file_type fs_type }:file execute_no_trans;
+neverallow hal_audio { file_type fs_type }:file execute_no_trans;
 
 # Should never need network access.
 # Disallow network sockets.
-neverallow hal_audio_server domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow hal_audio domain:{ tcp_socket udp_socket rawip_socket } *;
 
 # Only audio HAL may directly access the audio hardware
 neverallow { halserverdomain -hal_audio_server } audio_device:chr_file *;

diff --git a/public/hal_camera.te b/public/hal_camera.te
index 4265b8a..d0824c3 100644
--- a/public/hal_camera.te
+++ b/public/hal_camera.te

@@ -23,10 +23,10 @@
 
 # hal_camera should never execute any executable without a
 # domain transition
-neverallow hal_camera_server { file_type fs_type }:file execute_no_trans;
+neverallow hal_camera { file_type fs_type }:file execute_no_trans;
 
 # hal_camera should never need network access. Disallow network sockets.
-neverallow hal_camera_server domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow hal_camera domain:{ tcp_socket udp_socket rawip_socket } *;
 
 # Only camera HAL may directly access the camera hardware
 neverallow { halserverdomain -hal_camera_server } camera_device:chr_file *;

diff --git a/public/hal_cas.te b/public/hal_cas.te
index 7f65358..b4801c5 100644
--- a/public/hal_cas.te
+++ b/public/hal_cas.te

@@ -7,7 +7,7 @@
 allow hal_cas_server hidl_memory_hwservice:hwservice_manager find;
 
 # Permit reading device's serial number from system properties
-get_prop(hal_cas_server, serialno_prop)
+get_prop(hal_cas, serialno_prop)
 
 # Read files already opened under /data
 allow hal_cas system_data_file:file { getattr read };
@@ -29,7 +29,7 @@
 
 # hal_cas should never execute any executable without a
 # domain transition
-neverallow hal_cas_server { file_type fs_type }:file execute_no_trans;
+neverallow hal_cas { file_type fs_type }:file execute_no_trans;
 
 # do not allow privileged socket ioctl commands
-neverallowxperm hal_cas_server domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+neverallowxperm hal_cas domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;

diff --git a/public/hal_drm.te b/public/hal_drm.te
index a46dd91..fbd90eb 100644
--- a/public/hal_drm.te
+++ b/public/hal_drm.te

@@ -47,7 +47,7 @@
 
 # hal_drm should never execute any executable without a
 # domain transition
-neverallow hal_drm_server { file_type fs_type }:file execute_no_trans;
+neverallow hal_drm { file_type fs_type }:file execute_no_trans;
 
 # do not allow privileged socket ioctl commands
-neverallowxperm hal_drm_server domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+neverallowxperm hal_drm domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;

diff --git a/public/te_macros b/public/te_macros
index 18e5e61..aad2949 100644
--- a/public/te_macros
+++ b/public/te_macros

@@ -213,6 +213,7 @@
 attribute hal_$1_server;
 expandattribute hal_$1_server false;
 
+neverallow { hal_$1_client -halclientdomain } domain:process fork;
 neverallow { hal_$1_server -halserverdomain } domain:process fork;
 ')
 

diff --git a/public/vold.te b/public/vold.te
index 9dbf8dd..b446915 100644
--- a/public/vold.te
+++ b/public/vold.te

@@ -210,7 +210,7 @@
 neverallow { domain -system_server -vdc -vold } vold_service:service_manager find;
 neverallow vold {
   domain
-  -hal_keymaster_server
+  -hal_keymaster
   -healthd
   -hwservicemanager
   -servicemanager
commit	cd69bebf7646fd1fb9a2c378d7a3ccc80a00d450	[log] [tgz]
author	Jeffrey Vander Stoep <jeffv@google.com>	Tue Nov 21 20:25:37 2017 +0000
committer	Jeffrey Vander Stoep <jeffv@google.com>	Tue Nov 21 20:27:47 2017 +0000
tree	eac3c8ec79198a10ead0bdb82ccf61ff911df614
parent	ed876a5e969ce89d9887cc19a97aadbaf5118e4a [diff]