Merge "Iorapd and friends have been removed"
diff --git a/private/atrace.te b/private/atrace.te
index ca0e527..50ab392 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -31,7 +31,6 @@
-dumpstate_service
-incident_service
-installd_service
- -iorapd_service
-lpdump_service
-mdns_service
-netd_service
diff --git a/private/compat/33.0/33.0.cil b/private/compat/33.0/33.0.cil
index 4439277..3a096be 100644
--- a/private/compat/33.0/33.0.cil
+++ b/private/compat/33.0/33.0.cil
@@ -1,3 +1,16 @@
+;; types removed from current policy
+(type iorap_inode2filename)
+(type iorap_inode2filename_exec)
+(type iorap_inode2filename_tmpfs)
+(type iorap_prefetcherd)
+(type iorap_prefetcherd_exec)
+(type iorap_prefetcherd_tmpfs)
+(type iorapd)
+(type iorapd_data_file)
+(type iorapd_exec)
+(type iorapd_service)
+(type iorapd_tmpfs)
+
(expandtypeattribute (DockObserver_service_33_0) true)
(expandtypeattribute (IProxyService_service_33_0) true)
(expandtypeattribute (aac_drc_prop_33_0) true)
diff --git a/private/coredomain.te b/private/coredomain.te
index e4c9a52..56e1730 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -91,8 +91,6 @@
-idmap
-init
-installd
- -iorap_inode2filename
- -iorap_prefetcherd
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
-system_server
@@ -111,8 +109,6 @@
-idmap
-init
-installd
- -iorap_inode2filename
- -iorap_prefetcherd
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
-system_server
diff --git a/private/domain.te b/private/domain.te
index f95df34..5f369e3 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -181,8 +181,6 @@
-app_zygote
-dexoptanalyzer
-installd
- -iorap_inode2filename
- -iorap_prefetcherd
-profman
-rs # spawned by appdomain, so carryover the exception above
-runas
@@ -205,7 +203,6 @@
-appdomain
-app_zygote
-installd
- -iorap_prefetcherd
-rs # spawned by appdomain, so carryover the exception above
} { privapp_data_file app_data_file }:file_class_set open;
@@ -230,7 +227,6 @@
-system_server
-apexd
-installd
- -iorap_inode2filename
-priv_app
-virtualizationservice
} staging_data_file:dir *;
@@ -243,7 +239,6 @@
-adbd
-kernel
-installd
- -iorap_inode2filename
-priv_app
-shell
-virtualizationservice
@@ -273,7 +268,6 @@
domain
-appdomain
with_asan(`-asan_extract')
- -iorap_prefetcherd
-shell
userdebug_or_eng(`-su')
-system_server_startup # for memfd backed executable regions
@@ -394,8 +388,6 @@
# this list should be a superset of the one above.
neverallow ~{
dac_override_allowed
- iorap_inode2filename
- iorap_prefetcherd
traced_perf
traced_probes
heapprofd
@@ -475,8 +467,6 @@
-heapprofd
userdebug_or_eng(`-profcollectd')
-init
- -iorap_inode2filename
- -iorap_prefetcherd
-kernel
userdebug_or_eng(`-simpleperf_boot')
-traced_perf
@@ -514,8 +504,6 @@
-crash_dump
-crosvm # loads vendor-specific disk images
-init # starts vendor executables
- -iorap_inode2filename
- -iorap_prefetcherd
-kernel # loads /vendor/firmware
-heapprofd
userdebug_or_eng(`-profcollectd')
@@ -619,7 +607,6 @@
-appdomain # finer-grained rules for appdomain are listed below
-system_server #populate com.android.providers.settings/databases/settings.db.
-installd # creation of app sandbox
- -iorap_inode2filename
-traced_probes # resolve inodes for i/o tracing.
# only needs open and read, the rest is neverallow in
# traced_probes.te.
diff --git a/private/file_contexts b/private/file_contexts
index 0c45a88..addbb13 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -323,9 +323,6 @@
/system/bin/preloads_copy\.sh u:object_r:preloads_copy_exec:s0
/system/bin/preopt2cachename u:object_r:preopt2cachename_exec:s0
/system/bin/viewcompiler u:object_r:viewcompiler_exec:s0
-/system/bin/iorapd u:object_r:iorapd_exec:s0
-/system/bin/iorap\.inode2filename u:object_r:iorap_inode2filename_exec:s0
-/system/bin/iorap\.prefetcherd u:object_r:iorap_prefetcherd_exec:s0
/system/bin/sgdisk u:object_r:sgdisk_exec:s0
/system/bin/blkid u:object_r:blkid_exec:s0
/system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
@@ -658,7 +655,6 @@
/data/misc/wifi/sockets/wpa_ctrl.* u:object_r:system_wpa_socket:s0
/data/misc/zoneinfo(/.*)? u:object_r:zoneinfo_data_file:s0
/data/misc/vold(/.*)? u:object_r:vold_data_file:s0
-/data/misc/iorapd(/.*)? u:object_r:iorapd_data_file:s0
/data/misc/update_engine(/.*)? u:object_r:update_engine_data_file:s0
/data/misc/update_engine_log(/.*)? u:object_r:update_engine_log_data_file:s0
/data/system/dropbox(/.*)? u:object_r:dropbox_data_file:s0
@@ -779,9 +775,6 @@
/data/misc_de/[0-9]+/vold(/.*)? u:object_r:vold_data_file:s0
/data/misc_ce/[0-9]+/vold(/.*)? u:object_r:vold_data_file:s0
-# iorapd per-user data
-/data/misc_ce/[0-9]+/iorapd(/.*)? u:object_r:iorapd_data_file:s0
-
# Backup service persistent per-user bookkeeping
/data/system_ce/[0-9]+/backup(/.*)? u:object_r:backup_data_file:s0
# Backup service temporary per-user data for inter-change with apps
diff --git a/private/iorap_inode2filename.te b/private/iorap_inode2filename.te
deleted file mode 100644
index 5acb262..0000000
--- a/private/iorap_inode2filename.te
+++ /dev/null
@@ -1,11 +0,0 @@
-typeattribute iorap_inode2filename coredomain;
-
-# Grant access to open most of the files under /
-allow iorap_inode2filename { apex_module_data_file apex_art_data_file }:dir r_dir_perms;
-allow iorap_inode2filename apex_data_file:file { getattr };
-allow iorap_inode2filename dalvikcache_data_file:dir { getattr open read search };
-allow iorap_inode2filename dalvikcache_data_file:file { getattr };
-allow iorap_inode2filename dex2oat_exec:lnk_file { getattr open read };
-allow iorap_inode2filename dexoptanalyzer_exec:file { getattr };
-allow iorap_inode2filename storaged_data_file:dir { getattr open read search };
-allow iorap_inode2filename storaged_data_file:file { getattr };
diff --git a/private/iorap_prefecherd.te b/private/iorap_prefecherd.te
deleted file mode 100644
index 9ddb512..0000000
--- a/private/iorap_prefecherd.te
+++ /dev/null
@@ -1,4 +0,0 @@
-typeattribute iorap_prefetcherd coredomain;
-
-init_daemon_domain(iorap_prefetcherd)
-tmpfs_domain(iorap_prefetcherd)
diff --git a/private/iorapd.te b/private/iorapd.te
deleted file mode 100644
index 73acec9..0000000
--- a/private/iorapd.te
+++ /dev/null
@@ -1,10 +0,0 @@
-typeattribute iorapd coredomain;
-
-init_daemon_domain(iorapd)
-tmpfs_domain(iorapd)
-
-domain_auto_trans(iorapd, iorap_prefetcherd_exec, iorap_prefetcherd)
-domain_auto_trans(iorapd, iorap_inode2filename_exec, iorap_inode2filename)
-
-# Allow iorapd to access the runtime native boot feature flag properties.
-get_prop(iorapd, device_config_runtime_native_boot_prop)
diff --git a/private/mlstrustedsubject.te b/private/mlstrustedsubject.te
index 22482d9..0aed4d3 100644
--- a/private/mlstrustedsubject.te
+++ b/private/mlstrustedsubject.te
@@ -7,22 +7,16 @@
neverallow {
mlstrustedsubject
-installd
- -iorap_prefetcherd
- -iorap_inode2filename
} { app_data_file privapp_data_file }:file ~{ read write map getattr ioctl lock append };
neverallow {
mlstrustedsubject
-installd
- -iorap_prefetcherd
- -iorap_inode2filename
} { app_data_file privapp_data_file }:dir ~{ read getattr search };
neverallow {
mlstrustedsubject
-installd
- -iorap_prefetcherd
- -iorap_inode2filename
-system_server
-adbd
-runas
diff --git a/private/service_contexts b/private/service_contexts
index 0869b0f..1094151 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -197,7 +197,6 @@
input_method u:object_r:input_method_service:s0
input u:object_r:input_service:s0
installd u:object_r:installd_service:s0
-iorapd u:object_r:iorapd_service:s0
iphonesubinfo_msim u:object_r:radio_service:s0
iphonesubinfo2 u:object_r:radio_service:s0
iphonesubinfo u:object_r:radio_service:s0
diff --git a/private/system_app.te b/private/system_app.te
index 01956f4..4888072 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -87,7 +87,6 @@
-dnsresolver_service
-dumpstate_service
-installd_service
- -iorapd_service
-lpdump_service
-mdns_service
-netd_service
@@ -103,7 +102,6 @@
dnsresolver_service
dumpstate_service
installd_service
- iorapd_service
mdns_service
netd_service
virtual_touchpad_service
diff --git a/private/system_server.te b/private/system_server.te
index e77ba5d..78817b1 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -287,7 +287,6 @@
binder_call(system_server, idmap)
binder_call(system_server, installd)
binder_call(system_server, incidentd)
-binder_call(system_server, iorapd)
binder_call(system_server, netd)
userdebug_or_eng(`binder_call(system_server, profcollectd)')
binder_call(system_server, statsd)
@@ -903,7 +902,6 @@
allow system_server incident_service:service_manager find;
allow system_server incremental_service:service_manager find;
allow system_server installd_service:service_manager find;
-allow system_server iorapd_service:service_manager find;
allow system_server keystore_maintenance_service:service_manager find;
allow system_server keystore_metrics_service:service_manager find;
allow system_server keystore_service:service_manager find;
diff --git a/private/traced.te b/private/traced.te
index ec31a20..6810c35 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -1,7 +1,4 @@
# Perfetto user-space tracing daemon (unprivileged)
-
-# type traced is defined under /public (because iorapd rules
-# under public/ need to refer to it).
type traced_exec, system_file_type, exec_type, file_type;
# Allow init to exec the daemon.
@@ -41,11 +38,6 @@
binder_use(traced);
binder_call(traced, system_server);
-# Allow iorapd to pass memfd descriptors to traced, so traced can directly
-# write into the shmem buffer file without doing roundtrips over IPC.
-allow traced iorapd:fd use;
-allow traced iorapd_tmpfs:file { read write };
-
# Allow traced to use shared memory supplied by producers. Typically, traced
# (i.e. the tracing service) creates the shared memory used for data transfer
# from the producer. This rule allows an alternative scheme, where the producer
diff --git a/public/domain.te b/public/domain.te
index bc3f373..4f60d9d 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -950,8 +950,6 @@
-system_lib_file
-system_linker_exec
-crash_dump_exec
- -iorap_prefetcherd_exec
- -iorap_inode2filename_exec
-netutils_wrapper_exec
userdebug_or_eng(`-tcpdump_exec')
}:file { entrypoint execute execute_no_trans };
@@ -1019,7 +1017,6 @@
system_file_type
-crash_dump_exec
-file_contexts_file
- -iorap_inode2filename_exec
-netutils_wrapper_exec
-property_contexts_file
-system_event_log_tags_file
@@ -1192,7 +1189,6 @@
-dumpstate
-init
-installd
- -iorap_inode2filename
-simpleperf_app_runner
-system_server # why?
userdebug_or_eng(`-uncrypt')
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 2c75f30..52eb3ff 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -309,9 +309,6 @@
# Allow dumpstate to talk to installd over binder
binder_call(dumpstate, installd);
-# Allow dumpstate to talk to iorapd over binder.
-binder_call(dumpstate, iorapd)
-
# Allow dumpstate to run ip xfrm policy
allow dumpstate self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read };
diff --git a/public/file.te b/public/file.te
index 009e86d..f0ddb37 100644
--- a/public/file.te
+++ b/public/file.te
@@ -452,7 +452,6 @@
type wifi_data_file, file_type, data_file_type, core_data_file_type;
type zoneinfo_data_file, file_type, data_file_type, core_data_file_type;
type vold_data_file, file_type, data_file_type, core_data_file_type;
-type iorapd_data_file, file_type, data_file_type, core_data_file_type;
type tee_data_file, file_type, data_file_type;
type update_engine_data_file, file_type, data_file_type, core_data_file_type;
type update_engine_log_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/public/init.te b/public/init.te
index cc28098..d99172f 100644
--- a/public/init.te
+++ b/public/init.te
@@ -214,7 +214,6 @@
-app_data_file
-credstore_data_file
-exec_type
- -iorapd_data_file
-keystore_data_file
-media_userdir_file
-misc_logd_file
@@ -236,7 +235,6 @@
-app_data_file
-exec_type
-gsi_data_file
- -iorapd_data_file
-credstore_data_file
-keystore_data_file
-misc_logd_file
@@ -263,7 +261,6 @@
-app_data_file
-exec_type
-gsi_data_file
- -iorapd_data_file
-credstore_data_file
-keystore_data_file
-misc_logd_file
@@ -283,7 +280,6 @@
-app_data_file
-exec_type
-gsi_data_file
- -iorapd_data_file
-credstore_data_file
-keystore_data_file
-misc_logd_file
diff --git a/public/iorap.te b/public/iorap.te
new file mode 100644
index 0000000..0671c34
--- /dev/null
+++ b/public/iorap.te
@@ -0,0 +1,4 @@
+# Define these types for now, as they may be used in device-specific policy.
+type iorapd;
+type iorap_inode2filename;
+type iorap_prefetcherd;
diff --git a/public/iorap_inode2filename.te b/public/iorap_inode2filename.te
deleted file mode 100644
index 6f119ee..0000000
--- a/public/iorap_inode2filename.te
+++ /dev/null
@@ -1,70 +0,0 @@
-# iorap.inode2filename -> look up file paths from an inode
-type iorap_inode2filename, domain;
-type iorap_inode2filename_exec, exec_type, file_type, system_file_type;
-type iorap_inode2filename_tmpfs, file_type;
-
-r_dir_file(iorap_inode2filename, rootfs)
-
-# Allow usage of pipes (child stdout -> parent pipe).
-allow iorap_inode2filename iorapd:fd use;
-allow iorap_inode2filename iorapd:fifo_file { read write getattr };
-
-# Allow reading most files under / ignoring usual access controls.
-allow iorap_inode2filename self:capability dac_read_search;
-
-typeattribute iorap_inode2filename mlstrustedsubject;
-
-# Grant access to open most of the files under /
-allow iorap_inode2filename apex_data_file:dir { getattr open read search };
-allow iorap_inode2filename apex_data_file:file { getattr };
-allow iorap_inode2filename apex_mnt_dir:dir { getattr open read search };
-allow iorap_inode2filename apex_mnt_dir:file { getattr };
-allow iorap_inode2filename apk_data_file:dir { getattr open read search };
-allow iorap_inode2filename apk_data_file:file { getattr };
-allow iorap_inode2filename app_data_file_type:dir { getattr open read search };
-allow iorap_inode2filename app_data_file_type:file { getattr };
-allow iorap_inode2filename backup_data_file:dir { getattr open read search };
-allow iorap_inode2filename backup_data_file:file { getattr };
-allow iorap_inode2filename bootchart_data_file:dir { getattr open read search };
-allow iorap_inode2filename bootchart_data_file:file { getattr };
-allow iorap_inode2filename metadata_file:dir { getattr open read search search };
-allow iorap_inode2filename metadata_file:file { getattr };
-allow iorap_inode2filename packages_list_file:dir { getattr open read search };
-allow iorap_inode2filename packages_list_file:file { getattr };
-allow iorap_inode2filename property_data_file:dir { getattr open read search };
-allow iorap_inode2filename property_data_file:file { getattr };
-allow iorap_inode2filename resourcecache_data_file:dir { getattr open read search };
-allow iorap_inode2filename resourcecache_data_file:file { getattr };
-allow iorap_inode2filename recovery_data_file:dir { getattr open read search };
-allow iorap_inode2filename ringtone_file:dir { getattr open read search };
-allow iorap_inode2filename ringtone_file:file { getattr };
-allow iorap_inode2filename same_process_hal_file:dir { getattr open read search };
-allow iorap_inode2filename same_process_hal_file:file { getattr };
-allow iorap_inode2filename sepolicy_file:file { getattr };
-allow iorap_inode2filename staging_data_file:dir { getattr open read search };
-allow iorap_inode2filename staging_data_file:file { getattr };
-allow iorap_inode2filename system_bootstrap_lib_file:dir { getattr open read search };
-allow iorap_inode2filename system_bootstrap_lib_file:file { getattr };
-allow iorap_inode2filename system_data_file:dir { getattr open read search };
-allow iorap_inode2filename system_data_file:file { getattr };
-allow iorap_inode2filename system_data_file:lnk_file { getattr open read };
-allow iorap_inode2filename system_data_root_file:dir { getattr open read search };
-allow iorap_inode2filename textclassifier_data_file:dir { getattr open read search };
-allow iorap_inode2filename textclassifier_data_file:file { getattr };
-allow iorap_inode2filename toolbox_exec:file getattr;
-allow iorap_inode2filename user_profile_root_file:dir { getattr open read search };
-allow iorap_inode2filename user_profile_data_file:dir { getattr open read search };
-allow iorap_inode2filename user_profile_data_file:file { getattr };
-allow iorap_inode2filename unencrypted_data_file:dir { getattr open read search };
-allow iorap_inode2filename unlabeled:file { getattr };
-allow iorap_inode2filename vendor_file:dir { getattr open read search };
-allow iorap_inode2filename vendor_file:file { getattr };
-allow iorap_inode2filename vendor_overlay_file:file { getattr };
-allow iorap_inode2filename zygote_exec:file { getattr };
-
-###
-### neverallow rules
-###
-
-neverallow { domain -init -iorapd } iorap_inode2filename:process { transition dyntransition };
-neverallow iorap_inode2filename domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/public/iorap_prefetcherd.te b/public/iorap_prefetcherd.te
deleted file mode 100644
index 4b218fb..0000000
--- a/public/iorap_prefetcherd.te
+++ /dev/null
@@ -1,55 +0,0 @@
-# volume manager
-type iorap_prefetcherd, domain;
-type iorap_prefetcherd_exec, exec_type, file_type, system_file_type;
-type iorap_prefetcherd_tmpfs, file_type;
-
-r_dir_file(iorap_prefetcherd, rootfs)
-
-# Allow read/write /proc/sys/vm/drop/caches
-allow iorap_prefetcherd proc_drop_caches:file rw_file_perms;
-
-# iorap_prefetcherd temporarily changes its priority when running benchmarks
-allow iorap_prefetcherd self:global_capability_class_set sys_nice;
-
-# Allow usage of pipes (--input-fd=# and --output-fd=# command line parameters).
-allow iorap_prefetcherd iorapd:fd use;
-allow iorap_prefetcherd iorapd:fifo_file { read write };
-
-# Allow reading most files under / ignoring usual access controls.
-allow iorap_prefetcherd self:capability dac_read_search;
-
-typeattribute iorap_prefetcherd mlstrustedsubject;
-
-# Grant logcat access
-allow iorap_prefetcherd logcat_exec:file { open read };
-
-# Grant access to open most of the files under /
-allow iorap_prefetcherd apk_data_file:dir { open read search };
-allow iorap_prefetcherd apk_data_file:file { open read };
-allow iorap_prefetcherd app_data_file:dir { open read search };
-allow iorap_prefetcherd app_data_file:file { open read };
-allow iorap_prefetcherd dalvikcache_data_file:dir { open read search };
-allow iorap_prefetcherd dalvikcache_data_file:file{ open read };
-allow iorap_prefetcherd packages_list_file:dir { open read search };
-allow iorap_prefetcherd packages_list_file:file { open read };
-allow iorap_prefetcherd privapp_data_file:dir { open read search };
-allow iorap_prefetcherd privapp_data_file:file { open read };
-allow iorap_prefetcherd same_process_hal_file:dir{ open read search };
-allow iorap_prefetcherd same_process_hal_file:file { open read };
-allow iorap_prefetcherd system_data_file:dir { open read search };
-allow iorap_prefetcherd system_data_file:file { open read };
-allow iorap_prefetcherd system_data_file:lnk_file { open read };
-allow iorap_prefetcherd user_profile_root_file:dir { open read search };
-allow iorap_prefetcherd user_profile_data_file:dir { open read search };
-allow iorap_prefetcherd user_profile_data_file:file { open read };
-allow iorap_prefetcherd vendor_overlay_file:dir { open read search };
-allow iorap_prefetcherd vendor_overlay_file:file { open read };
-# Note: Do not add any /vendor labels because they can be customized
-# by the vendor and we won't know about them beforehand.
-
-###
-### neverallow rules
-###
-
-neverallow { domain -init -iorapd } iorap_prefetcherd:process { transition dyntransition };
-neverallow iorap_prefetcherd domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/public/iorapd.te b/public/iorapd.te
deleted file mode 100644
index 8fded0c..0000000
--- a/public/iorapd.te
+++ /dev/null
@@ -1,94 +0,0 @@
-# volume manager
-type iorapd, domain;
-type iorapd_exec, exec_type, file_type, system_file_type;
-type iorapd_tmpfs, file_type;
-
-r_dir_file(iorapd, rootfs)
-
-# Allow read/write /proc/sys/vm/drop/caches
-allow iorapd proc_drop_caches:file rw_file_perms;
-
-# Give iorapd a place where only iorapd can store files; everyone else is off limits
-allow iorapd iorapd_data_file:dir create_dir_perms;
-allow iorapd iorapd_data_file:file create_file_perms;
-
-# Allow iorapd to publish a binder service and make binder calls.
-binder_use(iorapd)
-add_service(iorapd, iorapd_service)
-
-# Allow iorapd to call into the system server so it can check permissions.
-binder_call(iorapd, system_server)
-allow iorapd permission_service:service_manager find;
-# IUserManager
-allow iorapd user_service:service_manager find;
-# IPackageManagerNative
-allow iorapd package_native_service:service_manager find;
-# Allow dumpstate (bugreport) to call into iorapd.
-allow iorapd dumpstate:fd use;
-allow iorapd dumpstate:fifo_file write;
-
-# TODO: does each of the service_manager allow finds above need the binder_call?
-
-# iorapd temporarily changes its priority when running benchmarks
-allow iorapd self:global_capability_class_set sys_nice;
-
-# Allow to access Perfetto traced's privileged consumer socket to start/stop
-# tracing sessions and read trace data.
-unix_socket_connect(iorapd, traced_consumer, traced)
-
-# Allow iorapd to execute compilation (iorap.cmd.compiler) in idle time.
-allow iorapd system_file:file rx_file_perms;
-
-# Allow iorapd to send signull to iorap_inode2filename and iorap_prefetcherd.
-allow iorapd iorap_inode2filename:process signull;
-allow iorapd iorap_prefetcherd:process signull;
-
-# Allowing system_server to check for the existence and size of files under iorapd
-# dir without collecting any sensitive app data.
-# This is used to predict if iorapd is doing prefetching or not.
-allow system_server iorapd_data_file:dir { getattr open read search };
-allow system_server iorapd_data_file:file getattr;
-
-###
-### neverallow rules
-###
-
-neverallow {
- domain
- -iorapd
-} iorapd_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
-
-neverallow {
- domain
- -init
- -iorapd
- -system_server
-} iorapd_data_file:dir *;
-
-neverallow {
- domain
- -kernel
- -iorapd
-} iorapd_data_file:notdevfile_class_set ~{ relabelto getattr };
-
-neverallow {
- domain
- -init
- -kernel
- -vendor_init
- -iorapd
- -system_server
-} { iorapd_data_file }:notdevfile_class_set *;
-
-# Only system_server and shell (for dumpsys) can interact with iorapd over binder
-neverallow { domain -dumpstate -system_server -iorapd } iorapd_service:service_manager find;
-neverallow iorapd {
- domain
- -servicemanager
- -system_server
- userdebug_or_eng(`-su')
-}:binder call;
-
-neverallow { domain -init } iorapd:process { transition dyntransition };
-neverallow iorapd domain:{ udp_socket rawip_socket } *;
-neverallow iorapd { domain userdebug_or_eng(`-su') }:tcp_socket *;
diff --git a/public/service.te b/public/service.te
index 0fd2360..8dc3e04 100644
--- a/public/service.te
+++ b/public/service.te
@@ -19,7 +19,6 @@
type gatekeeper_service, app_api_service, service_manager_type;
type gpu_service, app_api_service, ephemeral_app_api_service, service_manager_type;
type idmap_service, service_manager_type;
-type iorapd_service, service_manager_type;
type incident_service, service_manager_type;
type installd_service, service_manager_type;
type credstore_service, app_api_service, service_manager_type;
diff --git a/public/shell.te b/public/shell.te
index 4175c86..8570260 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -84,7 +84,6 @@
-gatekeeper_service
-incident_service
-installd_service
- -iorapd_service
-mdns_service
-netd_service
-system_suspend_control_internal_service
diff --git a/public/traced.te b/public/traced.te
index 922d46e..48da0d8 100644
--- a/public/traced.te
+++ b/public/traced.te
@@ -1,3 +1,4 @@
type traced, domain, coredomain, mlstrustedsubject;
type traced_tmpfs, file_type;
+
diff --git a/public/traceur_app.te b/public/traceur_app.te
index 1ab150d..22f6c3b 100644
--- a/public/traceur_app.te
+++ b/public/traceur_app.te
@@ -10,7 +10,6 @@
-gatekeeper_service
-incident_service
-installd_service
- -iorapd_service
-lpdump_service
-mdns_service
-netd_service
diff --git a/public/vold.te b/public/vold.te
index 07f0fd3..6b32f9a 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -334,7 +334,6 @@
-system_suspend_server
-hal_bootctl_server
-hwservicemanager
- -iorapd_service
-keystore
-servicemanager
-system_server