omni: remove old sepolicy cruft lets start new Change-Id: I3389451bfd56a5453d4fd8b2d291e6620ee2e529

commit: 50e6b453475b92e027580d221ed42294ab8ab1e5 [log] [tgz]
author: maxwen <max.weninger@gmail.com> Mon Aug 20 11:15:56 2018 +0200
committer: Max Weninger <max.weninger@gmail.com> Tue Aug 21 11:29:29 2018 +0200
tree: 45e68245b4f4a36a155ea1886e1729a8fad78133
parent: 68c33dce31aaf7f1e6efc66ff69b548be3ffb3a2 [diff]
diff --git a/sepolicy/common/adbd.te b/sepolicy/common/adbd.te
deleted file mode 100644
index 9546c1a..0000000
--- a/sepolicy/common/adbd.te
+++ /dev/null

@@ -1 +0,0 @@
-set_prop(adbd, ctl_mdnsd_prop);

diff --git a/sepolicy/common/app.te b/sepolicy/common/app.te
deleted file mode 100644
index f76d836..0000000
--- a/sepolicy/common/app.te
+++ /dev/null

@@ -1,5 +0,0 @@
-# Access OBBs (sdcard_posix) mounted by vold
-# File write access allowed for FDs returned through Storage Access Framework
-#allow appdomain sdcard_posix:dir r_dir_perms;
-#allow appdomain sdcard_posix:file rw_file_perms;
-

diff --git a/sepolicy/common/drmserver.te b/sepolicy/common/drmserver.te
deleted file mode 100644
index b7f4f3f..0000000
--- a/sepolicy/common/drmserver.te
+++ /dev/null

@@ -1 +0,0 @@
-allow drmserver fuse_device:file r_file_perms;

diff --git a/sepolicy/common/file.te b/sepolicy/common/file.te
deleted file mode 100644
index 52c58d8..0000000
--- a/sepolicy/common/file.te
+++ /dev/null

@@ -1,12 +0,0 @@
-###########################
-# OmniROM common sepolicy
-#
-
-#type sysfs_ioscheduler, fs_type, sysfs_type;
-#type sysfs_zram, fs_type, sysfs_type;
-#type sysfs_ksm, fs_type, sysfs_type;
-type debugsfs_wakelock, fs_type, debugfs_type;
-# Filesystems
-type exfat, sdcard_type, fs_type, mlstrustedobject;
-#type fuse_device, sdcard_type, fs_type, mlstrustedobject;
-type ntfs, sdcard_type, fs_type, mlstrustedobject;

diff --git a/sepolicy/common/file_contexts b/sepolicy/common/file_contexts
deleted file mode 100644
index 1233804..0000000
--- a/sepolicy/common/file_contexts
+++ /dev/null

@@ -1,21 +0,0 @@
-###########################
-# OmniROM common sepolicy
-#
-
-# performance-related sysfs files
-/sys/block/zram(/.*)?       u:object_r:sysfs_zram:s0
-
-# mkfs
-/system/bin/mkfs\.exfat   u:object_r:mkfs_exec:s0
-/system/bin/mkfs\.ntfs    u:object_r:mkfs_exec:s0
-
-# fsck
-/system/bin/fsck\.ntfs                          u:object_r:fsck_exec:s0
-/system/bin/fsck\.exfat                          u:object_r:fsck_exec:s0
-
-# mount
-/system/bin/mount\.exfat                         u:object_r:fsck_exec:s0
-/system/bin/mount\.ntfs                         u:object_r:fsck_exec:s0
-
-# wakelocks
-/sys/kernel/debug/wakeup_sources     u:object_r:debugsfs_wakelock:s0

diff --git a/sepolicy/common/fsck_untrusted.te b/sepolicy/common/fsck_untrusted.te
deleted file mode 100644
index c1ba526..0000000
--- a/sepolicy/common/fsck_untrusted.te
+++ /dev/null

@@ -1,19 +0,0 @@
-# External storage
-allow fsck_untrusted self:capability sys_admin;
-
-#OTG Mount
-allow fsck_untrusted mnt_media_rw_stub_file:dir { rw_file_perms mounton };
-allow fsck_untrusted mnt_media_rw_file:dir rw_dir_perms;
-allow fsck_untrusted mnt_media_rw_file:file rw_file_perms;
-allow fsck_untrusted fuse_device:chr_file { read write open getattr };
-allow fsck_untrusted fuse_device:filesystem mount;
-allow fsck_untrusted block_device:dir getattr;
-allow fsck_untrusted media_rw_data_file:dir { search getattr };
-allow fsck_untrusted tmpfs:dir { search };
-
-allow fsck_untrusted toolbox_exec:file entrypoint;
-allow fsck_untrusted toolbox_exec:file r_file_perms;
-allow fsck_untrusted exfat:filesystem mount;
-allow fsck_untrusted self:capability sys_rawio;
-allow fsck_untrusted ntfs:filesystem mount;
-

diff --git a/sepolicy/common/fuse_device.te b/sepolicy/common/fuse_device.te
deleted file mode 100644
index b8e1631..0000000
--- a/sepolicy/common/fuse_device.te
+++ /dev/null

@@ -1,6 +0,0 @@
-###########################
-# OmniROM common sepolicy
-
-#Exfat OTG
-allow fuse_device self:filesystem associate;
-

diff --git a/sepolicy/common/genfs_contexts b/sepolicy/common/genfs_contexts
deleted file mode 100644
index a9d564a..0000000
--- a/sepolicy/common/genfs_contexts
+++ /dev/null

@@ -1,9 +0,0 @@
-###########################
-# OmniROM common sepolicy
-#
-
-# treat fuseblk as sdcard_external
-genfscon fuseblk / u:object_r:fuse_device:s0
-genfscon exfat / u:object_r:exfat:s0
-genfscon ntfs / u:object_r:ntfs:s0
-genfscon sdcard_posix / u:object_r:sdcard_posix:s0

diff --git a/sepolicy/common/healthd.te b/sepolicy/common/healthd.te
deleted file mode 100644
index 4711cf5..0000000
--- a/sepolicy/common/healthd.te
+++ /dev/null

@@ -1 +0,0 @@
-allow healthd self:capability { dac_override dac_read_search };

diff --git a/sepolicy/common/init.te b/sepolicy/common/init.te
deleted file mode 100644
index 0fef3e7..0000000
--- a/sepolicy/common/init.te
+++ /dev/null

@@ -1,6 +0,0 @@
-###########################
-# OmniROM common sepolicy
-#
-
-# damn!
-#allow init sysfs_ioscheduler:file rw_file_perms;

diff --git a/sepolicy/common/installd.te b/sepolicy/common/installd.te
deleted file mode 100644
index cef2730..0000000
--- a/sepolicy/common/installd.te
+++ /dev/null

@@ -1,4 +0,0 @@
-# Allow querying of asec size on SD card
-allow installd sdcard_type:dir { search };
-allow installd sdcard_type:file { getattr };
-allow installd sdcard_posix:filesystem quotaget;

diff --git a/sepolicy/common/isolated_app.te b/sepolicy/common/isolated_app.te
deleted file mode 100644
index 8fb3a60..0000000
--- a/sepolicy/common/isolated_app.te
+++ /dev/null

@@ -1,2 +0,0 @@
-allow isolated_app app_data_file:dir { search getattr };
-allow isolated_app shell_data_file:dir search;

diff --git a/sepolicy/common/mediaprovider.te b/sepolicy/common/mediaprovider.te
deleted file mode 100644
index 201692f..0000000
--- a/sepolicy/common/mediaprovider.te
+++ /dev/null

@@ -1,6 +0,0 @@
-###########################
-# OmniROM common sepolicy
-
-# non-fuse sdcard mediaprovider access
-allow mediaprovider sdcard_posix:dir r_dir_perms;
-allow mediaprovider sdcard_posix:file r_file_perms;

diff --git a/sepolicy/common/mediaserver.te b/sepolicy/common/mediaserver.te
deleted file mode 100644
index 356219e..0000000
--- a/sepolicy/common/mediaserver.te
+++ /dev/null

@@ -1,5 +0,0 @@
-###########################
-# OmniROM common sepolicy
-
-#exfat OTG
-allow mediaserver fuse_device:file { read getattr };

diff --git a/sepolicy/common/mkfs.te b/sepolicy/common/mkfs.te
deleted file mode 100644
index 6b35e95..0000000
--- a/sepolicy/common/mkfs.te
+++ /dev/null

@@ -1,11 +0,0 @@
-type mkfs, domain;
-type mkfs_exec, exec_type, file_type;
-
-not_full_treble(`
-   init_daemon_domain(mkfs);
-')
-
-# Allow formatting userdata or cache partitions
-allow mkfs block_device:dir search;
-allow mkfs userdata_block_device:blk_file rw_file_perms;
-allow mkfs cache_block_device:blk_file rw_file_perms;

diff --git a/sepolicy/common/platform_app.te b/sepolicy/common/platform_app.te
deleted file mode 100644
index bb66d50..0000000
--- a/sepolicy/common/platform_app.te
+++ /dev/null

@@ -1,26 +0,0 @@
-# Direct access to vold-mounted storage under /mnt/media_rw
-# This is a performance optimization that allows platform apps to bypass the FUSE layer
-#allow platform_app sdcard_posix:dir create_dir_perms;
-#allow platform_app sdcard_posix:file create_file_perms;
-
-# gallery2 crop avatar
-allow platform_app system_app_data_file:file { create_file_perms rw_file_perms };
-
-# gallery2 renderscript
-allow platform_app app_data_file:file { execute };
-
-#exfat/ntfs OTG
-allow platform_app fuse_device:dir { rw_dir_perms create_dir_perms };
-allow platform_app fuse_device:file { rw_file_perms create_file_perms };
-allow platform_app fuse_device:filesystem getattr;
-
-# MatLog calls dmesg
-allow platform_app kernel:system syslog_read;
-
-# no-fuse
-allow platform_app exfat:dir { rw_dir_perms create_dir_perms };
-allow platform_app exfat:file { rw_file_perms create_file_perms };
-allow platform_app ntfs:dir { rw_dir_perms create_dir_perms };
-allow platform_app ntfs:file { rw_file_perms create_file_perms };
-allow platform_app sdcard_posix:dir create_dir_perms;
-allow platform_app sdcard_posix:file create_file_perms;

diff --git a/sepolicy/common/priv_app.te b/sepolicy/common/priv_app.te
deleted file mode 100644
index 3178323..0000000
--- a/sepolicy/common/priv_app.te
+++ /dev/null

@@ -1,15 +0,0 @@
-###########################
-# OmniROM common sepolicy
-
-# exfat
-allow priv_app fuse_device:dir { search r_file_perms };
-allow priv_app fuse_device:file r_file_perms;
-allow priv_app fuse_device:filesystem { getattr };
-
-# posix-type fs
-allow priv_app sdcard_posix:dir r_dir_perms;
-allow priv_app sdcard_posix:file rw_file_perms;
-
-# MatLog calls dmesg
-allow priv_app kernel:system syslog_read;
-

diff --git a/sepolicy/common/sdcardd.te b/sepolicy/common/sdcardd.te
deleted file mode 100644
index 4afc302..0000000
--- a/sepolicy/common/sdcardd.te
+++ /dev/null

@@ -1,7 +0,0 @@
-###########################
-# OmniROM common sepolicy
-
-# exfat
-allow sdcardd fuse_device:dir { remove_name add_name search create rw_file_perms };
-allow sdcardd fuse_device:file { rename unlink create rw_file_perms };
-allow sdcardd fuse_device:filesystem { getattr };

diff --git a/sepolicy/common/system_app.te b/sepolicy/common/system_app.te
deleted file mode 100644
index bff1e64..0000000
--- a/sepolicy/common/system_app.te
+++ /dev/null

@@ -1,13 +0,0 @@
-###########################
-# OmniROM common sepolicy
-#
-
-allow system_app sysfs_lowmemorykiller:file rw_file_perms;
-
-# Read /sys/kernel/debug/wakeup_sources.
-allow system_app debugsfs_wakelock:file r_file_perms;
-
-#selinux status
-allow system_app selinuxfs:file r_file_perms;
-
-

diff --git a/sepolicy/common/system_server.te b/sepolicy/common/system_server.te
deleted file mode 100644
index 52d9291..0000000
--- a/sepolicy/common/system_server.te
+++ /dev/null

@@ -1,5 +0,0 @@
-allow system_server storage_stub_file:dir { getattr };
-set_prop(system_server, shell_prop)
-
-#batterystats
-allow system_server debugsfs_wakelock:file { read open getattr };

diff --git a/sepolicy/common/ueventd.te b/sepolicy/common/ueventd.te
deleted file mode 100644
index fc0fb23..0000000
--- a/sepolicy/common/ueventd.te
+++ /dev/null

@@ -1,8 +0,0 @@
-# ueventd needs to relabel files that pop in and out of sysfs
-allow ueventd sysfs:file relabelfrom;
-# ueventd will set permissions on cpufreq nodes
-allow ueventd sysfs_devices_system_cpu:file setattr;
-
-# ueventd loads audio firmware on many devices
-allow ueventd audio_data_file:dir r_dir_perms;
-allow ueventd audio_data_file:file r_file_perms;

diff --git a/sepolicy/common/untrusted_app.te b/sepolicy/common/untrusted_app.te
deleted file mode 100644
index a81f2b2..0000000
--- a/sepolicy/common/untrusted_app.te
+++ /dev/null

@@ -1,13 +0,0 @@
-###########################
-# OmniROM common sepolicy
-
-# exfat OTG
-allow untrusted_app mnt_media_rw_file:dir getattr;
-allow untrusted_app asec_apk_file:dir getattr;
-allow untrusted_app fuse_device:file { getattr read write open };
-allow untrusted_app fuse_device:dir { search };
-allow untrusted_app sdcard_posix:dir r_dir_perms;
-allow untrusted_app sdcard_posix:file rw_file_perms;
-
-# profile picture
-allow untrusted_app system_app_data_file:file { append };

diff --git a/sepolicy/common/untrusted_app_25.te b/sepolicy/common/untrusted_app_25.te
deleted file mode 100644
index 43c704e..0000000
--- a/sepolicy/common/untrusted_app_25.te
+++ /dev/null

@@ -1,6 +0,0 @@
-allow untrusted_app_25 mnt_media_rw_file:dir getattr;
-allow untrusted_app_25 asec_apk_file:dir getattr;
-allow untrusted_app_25 fuse_device:file { getattr read write open };
-allow untrusted_app_25 fuse_device:dir { search };
-allow untrusted_app_25 sdcard_posix:dir r_dir_perms;
-allow untrusted_app_25 sdcard_posix:file rw_file_perms;

diff --git a/sepolicy/common/vold.te b/sepolicy/common/vold.te
deleted file mode 100644
index 4ee8613..0000000
--- a/sepolicy/common/vold.te
+++ /dev/null

@@ -1,28 +0,0 @@
-###########################
-# OmniROM common sepolicy
-#
-
-domain_trans(init, rootfs, vold)
-
-# Allow vold to manage ASEC
-allow vold sdcard_type:file create_file_perms;
-#allow vold vold_tmpfs:file create_file_perms;
-
-# Allow vold to access fuse for fuse-based fs
-allow vold fuse_device:chr_file rw_file_perms;
-
-# NTFS-3g wants to drop permission
-allow vold self:capability { setgid setuid };
-# External storage
-allow vold storage_stub_file:dir { rw_file_perms search add_name };
-allow vold mnt_media_rw_stub_file:dir r_dir_perms;
-allow vold mkfs_exec:file { execute read open getattr execute_no_trans };
-
-allow vold fuse_device:dir getattr;
-allow vold fuse_device:filesystem unmount;
-
-allow vold fsck_exec:lnk_file { read };
-
-# Posix sdcard fs relabeling
-allow vold labeledfs:filesystem { relabelfrom relabelto };
-allow vold sdcard_posix:filesystem { relabelfrom relabelto };

diff --git a/sepolicy/private/file_contexts b/sepolicy/private/file_contexts
deleted file mode 100644
index 40295bb..0000000
--- a/sepolicy/private/file_contexts
+++ /dev/null

@@ -1,4 +0,0 @@
-# Postinstall
-/system/bin/backuptool_ab\.functions              u:object_r:otapreopt_chroot_exec:s0
-/system/bin/backuptool_ab\.sh                     u:object_r:otapreopt_chroot_exec:s0
-/system/bin/backuptool_postinstall\.sh            u:object_r:otapreopt_chroot_exec:s0

diff --git a/sepolicy/private/priv_app.te b/sepolicy/private/priv_app.te
deleted file mode 100644
index 1d7fca2..0000000
--- a/sepolicy/private/priv_app.te
+++ /dev/null

@@ -1 +0,0 @@
-allow priv_app ota_package_file:dir create_dir_perms;

diff --git a/sepolicy/private/rootfs.te b/sepolicy/private/rootfs.te
deleted file mode 100644
index 7cfb964..0000000
--- a/sepolicy/private/rootfs.te
+++ /dev/null

@@ -1 +0,0 @@
-allow rootfs labeledfs:filesystem associate;

diff --git a/sepolicy/private/sdcardfs.te b/sepolicy/private/sdcardfs.te
deleted file mode 100644
index 245f9a8..0000000
--- a/sepolicy/private/sdcardfs.te
+++ /dev/null

@@ -1 +0,0 @@
-allow sdcardfs labeledfs:filesystem associate;

diff --git a/sepolicy/private/shell.te b/sepolicy/private/shell.te
deleted file mode 100644
index 20a5c60..0000000
--- a/sepolicy/private/shell.te
+++ /dev/null

@@ -1,2 +0,0 @@
-allow shell otapreopt_chroot_exec:file getattr;
-

diff --git a/sepolicy/private/update_engine.te b/sepolicy/private/update_engine.te
deleted file mode 100644
index 309699a..0000000
--- a/sepolicy/private/update_engine.te
+++ /dev/null

@@ -1,13 +0,0 @@
-allow update_engine self:capability { dac_override dac_read_search sys_rawio };
-
-r_dir_file(update_engine, mnt_user_file)
-r_dir_file(update_engine, storage_file)
-
-allow update_engine self:capability { chown fsetid sys_rawio };
-
-allow update_engine labeledfs:filesystem { mount unmount };
-
-allow update_engine { media_rw_data_file rootfs sdcardfs system_data_file system_file }:dir create_dir_perms;
-allow update_engine { media_rw_data_file rootfs sdcardfs system_data_file system_file }:{ file lnk_file } create_file_perms;
-allow update_engine { otapreopt_chroot_exec rootfs system_file toolbox_exec }:file rx_file_perms;
-allow update_engine { rootfs system_file }:file { relabelfrom relabelto };

diff --git a/sepolicy/sepolicy.mk b/sepolicy/sepolicy.mk
deleted file mode 100644
index f4bab81..0000000
--- a/sepolicy/sepolicy.mk
+++ /dev/null

@@ -1,9 +0,0 @@
-#
-# This policy configuration will be used by all products that
-# inherit from Omni
-#
-
-BOARD_SEPOLICY_DIRS += \
-    vendor/omni/sepolicy/common
-
-BOARD_PLAT_PRIVATE_SEPOLICY_DIR += vendor/omni/sepolicy/private
commit	50e6b453475b92e027580d221ed42294ab8ab1e5	[log] [tgz]
author	maxwen <max.weninger@gmail.com>	Mon Aug 20 11:15:56 2018 +0200
committer	Max Weninger <max.weninger@gmail.com>	Tue Aug 21 11:29:29 2018 +0200
tree	45e68245b4f4a36a155ea1886e1729a8fad78133
parent	68c33dce31aaf7f1e6efc66ff69b548be3ffb3a2 [diff]