diff --git a/target/board/generic/BoardConfig.mk b/target/board/generic/BoardConfig.mk index 009fb3224..6c8284639 100644 --- a/target/board/generic/BoardConfig.mk +++ b/target/board/generic/BoardConfig.mk @@ -77,7 +77,7 @@ BOARD_USES_METADATA_PARTITION := true BOARD_CACHEIMAGE_FILE_SYSTEM_TYPE := ext4 BOARD_CACHEIMAGE_PARTITION_SIZE := 16777216 -BOARD_SEPOLICY_DIRS += build/target/board/generic/sepolicy +BOARD_SEPOLICY_DIRS += device/generic/goldfish/sepolicy/common BOARD_PROPERTY_OVERRIDES_SPLIT_ENABLED := true # Android Verified Boot (AVB): diff --git a/target/board/generic/sepolicy/OWNERS b/target/board/generic/sepolicy/OWNERS deleted file mode 100644 index 382898894..000000000 --- a/target/board/generic/sepolicy/OWNERS +++ /dev/null @@ -1,4 +0,0 @@ -jeffv@google.com -dcashman@google.com -jbires@google.com -sspatil@google.com diff --git a/target/board/generic/sepolicy/adbd.te b/target/board/generic/sepolicy/adbd.te deleted file mode 100644 index 9546c1a47..000000000 --- a/target/board/generic/sepolicy/adbd.te +++ /dev/null @@ -1 +0,0 @@ -set_prop(adbd, ctl_mdnsd_prop); diff --git a/target/board/generic/sepolicy/audioserver.te b/target/board/generic/sepolicy/audioserver.te deleted file mode 100644 index c3c4a3a3d..000000000 --- a/target/board/generic/sepolicy/audioserver.te +++ /dev/null @@ -1 +0,0 @@ -allow audioserver bootanim:binder call; diff --git a/target/board/generic/sepolicy/bootanim.te b/target/board/generic/sepolicy/bootanim.te deleted file mode 100644 index bc84ee739..000000000 --- a/target/board/generic/sepolicy/bootanim.te +++ /dev/null @@ -1,9 +0,0 @@ -allow bootanim self:process execmem; -allow bootanim ashmem_device:chr_file execute; -#TODO: This can safely be ignored until b/62954877 is fixed -dontaudit bootanim system_data_file:dir read; - -allow bootanim graphics_device:chr_file { read ioctl open }; - -typeattribute bootanim system_writes_vendor_properties_violators; -set_prop(bootanim, qemu_prop) diff --git a/target/board/generic/sepolicy/cameraserver.te b/target/board/generic/sepolicy/cameraserver.te deleted file mode 100644 index 6cf5d6ae4..000000000 --- a/target/board/generic/sepolicy/cameraserver.te +++ /dev/null @@ -1,2 +0,0 @@ -allow cameraserver system_file:dir { open read }; -allow cameraserver hal_allocator:fd use; diff --git a/target/board/generic/sepolicy/createns.te b/target/board/generic/sepolicy/createns.te deleted file mode 100644 index 1eaf9ef58..000000000 --- a/target/board/generic/sepolicy/createns.te +++ /dev/null @@ -1,14 +0,0 @@ -# Network namespace creation -type createns, domain; -type createns_exec, exec_type, vendor_file_type, file_type; - -init_daemon_domain(createns) - -allow createns self:capability { sys_admin net_raw setuid setgid }; -allow createns varrun_file:dir { add_name search write }; -allow createns varrun_file:file { create mounton open read write }; - -#Allow createns itself to be run by init in its own domain -domain_auto_trans(goldfish_setup, createns_exec, createns); -allow createns goldfish_setup:fd use; - diff --git a/target/board/generic/sepolicy/device.te b/target/board/generic/sepolicy/device.te deleted file mode 100644 index d12944119..000000000 --- a/target/board/generic/sepolicy/device.te +++ /dev/null @@ -1 +0,0 @@ -type qemu_device, dev_type, mlstrustedobject; diff --git a/target/board/generic/sepolicy/dhcpclient.te b/target/board/generic/sepolicy/dhcpclient.te deleted file mode 100644 index df71fca38..000000000 --- a/target/board/generic/sepolicy/dhcpclient.te +++ /dev/null @@ -1,20 +0,0 @@ -# DHCP client -type dhcpclient, domain; -type dhcpclient_exec, exec_type, vendor_file_type, file_type; - -init_daemon_domain(dhcpclient) -net_domain(dhcpclient) - -allow dhcpclient execns:fd use; - -set_prop(dhcpclient, net_eth0_prop); -allow dhcpclient self:capability { net_admin net_raw }; -allow dhcpclient self:udp_socket create; -allow dhcpclient self:netlink_route_socket { write nlmsg_write }; -allow dhcpclient varrun_file:dir search; -allow dhcpclient self:packet_socket { create bind write read }; -allowxperm dhcpclient self:udp_socket ioctl { SIOCSIFFLAGS - SIOCSIFADDR - SIOCSIFNETMASK - SIOCSIFMTU - SIOCGIFHWADDR }; diff --git a/target/board/generic/sepolicy/dhcpserver.te b/target/board/generic/sepolicy/dhcpserver.te deleted file mode 100644 index 7e8ba263a..000000000 --- a/target/board/generic/sepolicy/dhcpserver.te +++ /dev/null @@ -1,12 +0,0 @@ -# DHCP server -type dhcpserver, domain; -type dhcpserver_exec, exec_type, vendor_file_type, file_type; - -init_daemon_domain(dhcpserver) -net_domain(dhcpserver) - -allow dhcpserver execns:fd use; - -get_prop(dhcpserver, net_eth0_prop); -allow dhcpserver self:udp_socket { ioctl create setopt bind }; -allow dhcpserver self:capability { net_raw net_bind_service }; diff --git a/target/board/generic/sepolicy/domain.te b/target/board/generic/sepolicy/domain.te deleted file mode 100644 index 3706dbaa0..000000000 --- a/target/board/generic/sepolicy/domain.te +++ /dev/null @@ -1,3 +0,0 @@ -allow domain qemu_device:chr_file rw_file_perms; - -get_prop(domain, qemu_prop) diff --git a/target/board/generic/sepolicy/execns.te b/target/board/generic/sepolicy/execns.te deleted file mode 100644 index dc6c42411..000000000 --- a/target/board/generic/sepolicy/execns.te +++ /dev/null @@ -1,27 +0,0 @@ -# Network namespace transitions -type execns, domain; -type execns_exec, exec_type, vendor_file_type, file_type; - -init_daemon_domain(execns) - -allow execns varrun_file:dir search; -allow execns varrun_file:file r_file_perms; -allow execns self:capability { sys_admin setuid setgid }; -allow execns nsfs:file { open read }; - -#Allow execns itself to be run by init in its own domain -domain_auto_trans(init, execns_exec, execns); - -# Allow dhcpclient to be run by execns in its own domain -domain_auto_trans(execns, dhcpclient_exec, dhcpclient); - -# Allow dhcpserver to be run by execns in its own domain -domain_auto_trans(execns, dhcpserver_exec, dhcpserver); - -# Allow hostapd_nohidl to be run by execns in its own domain -domain_auto_trans(execns, hostapd_nohidl_exec, hostapd_nohidl); - -# Allow execns to read createns proc file to get the namespace file -allow execns createns:file read; -allow execns createns:dir search; -allow execns createns:lnk_file read; diff --git a/target/board/generic/sepolicy/file.te b/target/board/generic/sepolicy/file.te deleted file mode 100644 index b0aa217ae..000000000 --- a/target/board/generic/sepolicy/file.te +++ /dev/null @@ -1,4 +0,0 @@ -type sysfs_writable, fs_type, sysfs_type, mlstrustedobject; -type varrun_file, file_type, data_file_type, mlstrustedobject; -type mediadrm_vendor_data_file, file_type, data_file_type; -type nsfs, fs_type; diff --git a/target/board/generic/sepolicy/file_contexts b/target/board/generic/sepolicy/file_contexts deleted file mode 100644 index 7cd79fecd..000000000 --- a/target/board/generic/sepolicy/file_contexts +++ /dev/null @@ -1,47 +0,0 @@ -# goldfish -/dev/block/mtdblock0 u:object_r:system_block_device:s0 -/dev/block/mtdblock1 u:object_r:userdata_block_device:s0 -/dev/block/mtdblock2 u:object_r:cache_block_device:s0 - -# ranchu -/dev/block/vda u:object_r:system_block_device:s0 -/dev/block/vdb u:object_r:cache_block_device:s0 -/dev/block/vdc u:object_r:userdata_block_device:s0 -/dev/block/vdd u:object_r:metadata_block_device:s0 -/dev/block/vde u:object_r:system_block_device:s0 - -/dev/goldfish_pipe u:object_r:qemu_device:s0 -/dev/goldfish_sync u:object_r:qemu_device:s0 -/dev/qemu_.* u:object_r:qemu_device:s0 -/dev/ttyGF[0-9]* u:object_r:serial_device:s0 -/dev/ttyS2 u:object_r:console_device:s0 -/vendor/bin/init\.ranchu-core\.sh u:object_r:goldfish_setup_exec:s0 -/vendor/bin/init\.ranchu-net\.sh u:object_r:goldfish_setup_exec:s0 -/vendor/bin/init\.wifi\.sh u:object_r:goldfish_setup_exec:s0 -/vendor/bin/qemu-props u:object_r:qemu_props_exec:s0 -/vendor/bin/createns u:object_r:createns_exec:s0 -/vendor/bin/execns u:object_r:execns_exec:s0 -/vendor/bin/ipv6proxy u:object_r:ipv6proxy_exec:s0 -/vendor/bin/dhcpclient u:object_r:dhcpclient_exec:s0 -/vendor/bin/dhcpserver u:object_r:dhcpserver_exec:s0 -/vendor/bin/hostapd_nohidl u:object_r:hostapd_nohidl_exec:s0 - -/vendor/bin/hw/android\.hardware\.drm@1\.0-service\.widevine u:object_r:hal_drm_widevine_exec:s0 - -/vendor/lib(64)?/hw/gralloc\.ranchu\.so u:object_r:same_process_hal_file:s0 -/vendor/lib(64)?/hw/gralloc\.goldfish\.default\.so u:object_r:same_process_hal_file:s0 -/vendor/lib(64)?/libEGL_emulation\.so u:object_r:same_process_hal_file:s0 -/vendor/lib(64)?/libGLESv1_CM_emulation\.so u:object_r:same_process_hal_file:s0 -/vendor/lib(64)?/libGLESv2_emulation\.so u:object_r:same_process_hal_file:s0 -/vendor/lib(64)?/libEGL_swiftshader\.so u:object_r:same_process_hal_file:s0 -/vendor/lib(64)?/libGLESv1_CM_swiftshader\.so u:object_r:same_process_hal_file:s0 -/vendor/lib(64)?/libGLESv2_swiftshader\.so u:object_r:same_process_hal_file:s0 -/vendor/lib(64)?/libOpenglSystemCommon\.so u:object_r:same_process_hal_file:s0 -/vendor/lib(64)?/lib_renderControl_enc\.so u:object_r:same_process_hal_file:s0 -/vendor/lib(64)?/libGLESv1_enc\.so u:object_r:same_process_hal_file:s0 -/vendor/lib(64)?/libGLESv2_enc\.so u:object_r:same_process_hal_file:s0 - -# data -/data/vendor/mediadrm(/.*)? u:object_r:mediadrm_vendor_data_file:s0 -/data/vendor/var/run(/.*)? u:object_r:varrun_file:s0 - diff --git a/target/board/generic/sepolicy/genfs_contexts b/target/board/generic/sepolicy/genfs_contexts deleted file mode 100644 index 1b816263b..000000000 --- a/target/board/generic/sepolicy/genfs_contexts +++ /dev/null @@ -1,20 +0,0 @@ -# On the emulator, device tree dir is configured to be -# /sys/bus/platform/devices/ANDR0001:00/properties/android/ which is a symlink to -# /sys/devices/platform/ANDR0001:00/properties/android/ -genfscon sysfs /devices/platform/ANDR0001:00/properties/android u:object_r:sysfs_dt_firmware_android:s0 - -# We expect /sys/class/power_supply/* and everything it links to to be labeled -# as sysfs_batteryinfo. -genfscon sysfs /devices/platform/GFSH0001:00/power_supply u:object_r:sysfs_batteryinfo:s0 - -# /sys/class/rtc -genfscon sysfs /devices/pnp0/00:00/rtc u:object_r:sysfs_rtc:s0 -genfscon sysfs /devices/platform/GFSH0007:00/rtc u:object_r:sysfs_rtc:s0 - -# /sys/class/net -genfscon sysfs /devices/pci0000:00/0000:00:08.0/virtio5/net u:object_r:sysfs_net:s0 -genfscon sysfs /devices/virtual/mac80211_hwsim/hwsim0/net u:object_r:sysfs_net:s0 -genfscon sysfs /devices/virtual/mac80211_hwsim/hwsim1/net u:object_r:sysfs_net:s0 - -# /proc//ns -genfscon nsfs / u:object_r:nsfs:s0 diff --git a/target/board/generic/sepolicy/goldfish_setup.te b/target/board/generic/sepolicy/goldfish_setup.te deleted file mode 100644 index 3041436b3..000000000 --- a/target/board/generic/sepolicy/goldfish_setup.te +++ /dev/null @@ -1,47 +0,0 @@ -# goldfish-setup service: runs init.goldfish.sh script -type goldfish_setup, domain; -type goldfish_setup_exec, vendor_file_type, exec_type, file_type; - -init_daemon_domain(goldfish_setup) - -# TODO(b/79502552): Invalid property access from emulator vendor -#set_prop(goldfish_setup, debug_prop); -allow goldfish_setup self:capability { net_admin net_raw }; -allow goldfish_setup self:udp_socket { create ioctl }; -allow goldfish_setup vendor_toolbox_exec:file execute_no_trans; -allowxperm goldfish_setup self:udp_socket ioctl priv_sock_ioctls; -wakelock_use(goldfish_setup); -allow goldfish_setup vendor_shell_exec:file { rx_file_perms }; - -# Set system properties to start services -set_prop(goldfish_setup, ctl_default_prop); - -# Set up WiFi -allow goldfish_setup self:netlink_route_socket { create nlmsg_write setopt bind getattr read write nlmsg_read }; -allow goldfish_setup self:netlink_generic_socket create_socket_perms_no_ioctl; -allow goldfish_setup self:capability { sys_module sys_admin }; -allow goldfish_setup varrun_file:dir { mounton open read write add_name search remove_name }; -allow goldfish_setup varrun_file:file { mounton getattr create read write open unlink }; -allow goldfish_setup execns_exec:file rx_file_perms; -allow goldfish_setup proc_net:file rw_file_perms; -allow goldfish_setup proc:file r_file_perms; -allow goldfish_setup nsfs:file r_file_perms; -allow goldfish_setup system_data_file:dir getattr; -allow goldfish_setup kernel:system module_request; -set_prop(goldfish_setup, qemu_prop); -get_prop(goldfish_setup, net_share_prop); -# Allow goldfish_setup to run /system/bin/ip and /system/bin/iw -allow goldfish_setup system_file:file execute_no_trans; -# Allow goldfish_setup to run init.wifi.sh -allow goldfish_setup goldfish_setup_exec:file execute_no_trans; -#Allow goldfish_setup to run createns in its own domain -domain_auto_trans(goldfish_setup, createns_exec, createns); -# iw -allow goldfish_setup sysfs:file { read open }; -# iptables -allow goldfish_setup system_file:file lock; -allow goldfish_setup self:rawip_socket { create getopt setopt }; -# Allow goldfish_setup to read createns proc file to get the namespace file -allow goldfish_setup createns:file { read }; -allow goldfish_setup createns:dir { search }; -allow goldfish_setup createns:lnk_file { read }; diff --git a/target/board/generic/sepolicy/hal_camera_default.te b/target/board/generic/sepolicy/hal_camera_default.te deleted file mode 100644 index eb88c36f0..000000000 --- a/target/board/generic/sepolicy/hal_camera_default.te +++ /dev/null @@ -1,3 +0,0 @@ -vndbinder_use(hal_camera_default); -allow hal_camera_default hal_graphics_mapper_hwservice:hwservice_manager find; -hal_client_domain(hal_camera_default, hal_graphics_composer) diff --git a/target/board/generic/sepolicy/hal_cas_default.te b/target/board/generic/sepolicy/hal_cas_default.te deleted file mode 100644 index 3ed3bee86..000000000 --- a/target/board/generic/sepolicy/hal_cas_default.te +++ /dev/null @@ -1 +0,0 @@ -vndbinder_use(hal_cas_default); diff --git a/target/board/generic/sepolicy/hal_drm_default.te b/target/board/generic/sepolicy/hal_drm_default.te deleted file mode 100644 index 5a07433c8..000000000 --- a/target/board/generic/sepolicy/hal_drm_default.te +++ /dev/null @@ -1,2 +0,0 @@ -vndbinder_use(hal_drm_default); -hal_client_domain(hal_drm_default, hal_graphics_composer) diff --git a/target/board/generic/sepolicy/hal_drm_widevine.te b/target/board/generic/sepolicy/hal_drm_widevine.te deleted file mode 100644 index d49000d14..000000000 --- a/target/board/generic/sepolicy/hal_drm_widevine.te +++ /dev/null @@ -1,14 +0,0 @@ -# define SELinux domain -type hal_drm_widevine, domain; -hal_server_domain(hal_drm_widevine, hal_drm) - -type hal_drm_widevine_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(hal_drm_widevine) - -allow hal_drm mediacodec:fd use; -allow hal_drm { appdomain -isolated_app }:fd use; - -vndbinder_use(hal_drm_widevine); -hal_client_domain(hal_drm_widevine, hal_graphics_composer); -allow hal_drm_widevine mediadrm_vendor_data_file:dir create_dir_perms; -allow hal_drm_widevine mediadrm_vendor_data_file:file create_file_perms; diff --git a/target/board/generic/sepolicy/hal_fingerprint_default.te b/target/board/generic/sepolicy/hal_fingerprint_default.te deleted file mode 100644 index e5b06f12d..000000000 --- a/target/board/generic/sepolicy/hal_fingerprint_default.te +++ /dev/null @@ -1,5 +0,0 @@ -# TODO(b/36644492): Remove data_between_core_and_vendor_violators once -# hal_fingerprint no longer directly accesses fingerprintd_data_file. -typeattribute hal_fingerprint_default data_between_core_and_vendor_violators; -allow hal_fingerprint_default fingerprintd_data_file:file create_file_perms; -allow hal_fingerprint_default fingerprintd_data_file:dir rw_dir_perms; diff --git a/target/board/generic/sepolicy/hal_gnss_default.te b/target/board/generic/sepolicy/hal_gnss_default.te deleted file mode 100644 index 0dd3d0356..000000000 --- a/target/board/generic/sepolicy/hal_gnss_default.te +++ /dev/null @@ -1,3 +0,0 @@ -#============= hal_gnss_default ============== -allow hal_gnss_default vndbinder_device:chr_file { ioctl open read write }; - diff --git a/target/board/generic/sepolicy/hal_graphics_allocator_default.te b/target/board/generic/sepolicy/hal_graphics_allocator_default.te deleted file mode 100644 index 0c8e27de9..000000000 --- a/target/board/generic/sepolicy/hal_graphics_allocator_default.te +++ /dev/null @@ -1,2 +0,0 @@ -allow hal_graphics_allocator_default graphics_device:dir search; -allow hal_graphics_allocator_default graphics_device:chr_file { ioctl open read write }; diff --git a/target/board/generic/sepolicy/hal_graphics_composer_default.te b/target/board/generic/sepolicy/hal_graphics_composer_default.te deleted file mode 100644 index 034bdeff9..000000000 --- a/target/board/generic/sepolicy/hal_graphics_composer_default.te +++ /dev/null @@ -1,3 +0,0 @@ -#============= hal_graphics_composer_default ============== -allow hal_graphics_composer_default vndbinder_device:chr_file { ioctl open read write }; - diff --git a/target/board/generic/sepolicy/hal_wifi_default.te b/target/board/generic/sepolicy/hal_wifi_default.te deleted file mode 100644 index de4b9969b..000000000 --- a/target/board/generic/sepolicy/hal_wifi_default.te +++ /dev/null @@ -1 +0,0 @@ -allow hal_wifi_default hal_wifi_default:netlink_route_socket { create bind write read nlmsg_read }; diff --git a/target/board/generic/sepolicy/healthd.te b/target/board/generic/sepolicy/healthd.te deleted file mode 100644 index ced670499..000000000 --- a/target/board/generic/sepolicy/healthd.te +++ /dev/null @@ -1,2 +0,0 @@ -# Allow to read /sys/class/power_supply directory -allow healthd sysfs:dir r_dir_perms; diff --git a/target/board/generic/sepolicy/hostapd_nohidl.te b/target/board/generic/sepolicy/hostapd_nohidl.te deleted file mode 100644 index add648a01..000000000 --- a/target/board/generic/sepolicy/hostapd_nohidl.te +++ /dev/null @@ -1,16 +0,0 @@ -type hostapd_nohidl, domain; -type hostapd_nohidl_exec, exec_type, vendor_file_type, file_type; - -init_daemon_domain(hostapd_nohidl) -net_domain(hostapd_nohidl) - -allow hostapd_nohidl execns:fd use; - -allow hostapd_nohidl self:capability { net_admin net_raw }; -allow hostapd_nohidl self:netlink_generic_socket { bind create getattr read setopt write }; -allow hostapd_nohidl self:netlink_route_socket nlmsg_write; -allow hostapd_nohidl self:packet_socket { create setopt }; -allowxperm hostapd_nohidl self:udp_socket ioctl priv_sock_ioctls; - -# hostapd will attempt to search sysfs but it's not needed and will spam the log -dontaudit hostapd_nohidl sysfs_net:dir search; diff --git a/target/board/generic/sepolicy/init.te b/target/board/generic/sepolicy/init.te deleted file mode 100644 index 84a4e8dbf..000000000 --- a/target/board/generic/sepolicy/init.te +++ /dev/null @@ -1,2 +0,0 @@ -allow init tmpfs:lnk_file create_file_perms; -dontaudit init kernel:system module_request; diff --git a/target/board/generic/sepolicy/ipv6proxy.te b/target/board/generic/sepolicy/ipv6proxy.te deleted file mode 100644 index 22976fe9b..000000000 --- a/target/board/generic/sepolicy/ipv6proxy.te +++ /dev/null @@ -1,16 +0,0 @@ -# IPv6 proxying -type ipv6proxy, domain; -type ipv6proxy_exec, exec_type, vendor_file_type, file_type; - -init_daemon_domain(ipv6proxy) -net_domain(ipv6proxy) - -# Allow ipv6proxy to be run by execns in its own domain -domain_auto_trans(execns, ipv6proxy_exec, ipv6proxy); -allow ipv6proxy execns:fd use; - -allow ipv6proxy self:capability { sys_admin sys_module net_admin net_raw }; -allow ipv6proxy self:packet_socket { bind create read }; -allow ipv6proxy self:netlink_route_socket nlmsg_write; -allow ipv6proxy varrun_file:dir search; -allowxperm ipv6proxy self:udp_socket ioctl { SIOCSIFFLAGS SIOCGIFHWADDR }; diff --git a/target/board/generic/sepolicy/logpersist.te b/target/board/generic/sepolicy/logpersist.te deleted file mode 100644 index 3fc025019..000000000 --- a/target/board/generic/sepolicy/logpersist.te +++ /dev/null @@ -1,13 +0,0 @@ -# goldfish logcat service: runs logcat -Q in logpersist domain - -# See global logcat.te/logpersist.te, only set for eng & userdebug, -# allow for all builds in a non-conflicting manner. - -domain_auto_trans(init, logcat_exec, logpersist) - -# Read from logd. -unix_socket_connect(logpersist, logdr, logd) - -# Write to /dev/ttyS2 and /dev/ttyGF2. -allow logpersist serial_device:chr_file { write open }; -get_prop(logpersist, qemu_cmdline) diff --git a/target/board/generic/sepolicy/mediacodec.te b/target/board/generic/sepolicy/mediacodec.te deleted file mode 100644 index acf4e59b9..000000000 --- a/target/board/generic/sepolicy/mediacodec.te +++ /dev/null @@ -1 +0,0 @@ -allow mediacodec system_file:dir { open read }; diff --git a/target/board/generic/sepolicy/netd.te b/target/board/generic/sepolicy/netd.te deleted file mode 100644 index 09a28b996..000000000 --- a/target/board/generic/sepolicy/netd.te +++ /dev/null @@ -1,3 +0,0 @@ -dontaudit netd self:capability sys_module; -#TODO: This can safely be ignored until b/62954877 is fixed -dontaudit netd kernel:system module_request; diff --git a/target/board/generic/sepolicy/priv_app.te b/target/board/generic/sepolicy/priv_app.te deleted file mode 100644 index 3d16f32b0..000000000 --- a/target/board/generic/sepolicy/priv_app.te +++ /dev/null @@ -1,5 +0,0 @@ -#TODO: b/62908025 -dontaudit priv_app firstboot_prop:file { getattr open }; -dontaudit priv_app device:dir { open read }; -dontaudit priv_app proc_interrupts:file { getattr open read }; -dontaudit priv_app proc_modules:file { getattr open read }; diff --git a/target/board/generic/sepolicy/property.te b/target/board/generic/sepolicy/property.te deleted file mode 100644 index 3593a39dd..000000000 --- a/target/board/generic/sepolicy/property.te +++ /dev/null @@ -1,5 +0,0 @@ -type qemu_prop, property_type; -type qemu_cmdline, property_type; -type radio_noril_prop, property_type; -type net_eth0_prop, property_type; -type net_share_prop, property_type; diff --git a/target/board/generic/sepolicy/property_contexts b/target/board/generic/sepolicy/property_contexts deleted file mode 100644 index f7a241cfb..000000000 --- a/target/board/generic/sepolicy/property_contexts +++ /dev/null @@ -1,8 +0,0 @@ -qemu. u:object_r:qemu_prop:s0 -qemu.cmdline u:object_r:qemu_cmdline:s0 -vendor.qemu u:object_r:qemu_prop:s0 -ro.emu. u:object_r:qemu_prop:s0 -ro.emulator. u:object_r:qemu_prop:s0 -ro.radio.noril u:object_r:radio_noril_prop:s0 -net.eth0. u:object_r:net_eth0_prop:s0 -net.shared_net_ip u:object_r:net_share_prop:s0 diff --git a/target/board/generic/sepolicy/qemu_props.te b/target/board/generic/sepolicy/qemu_props.te deleted file mode 100644 index b3e2d9552..000000000 --- a/target/board/generic/sepolicy/qemu_props.te +++ /dev/null @@ -1,10 +0,0 @@ -# qemu-props service: Sets system properties on boot. -type qemu_props, domain; -type qemu_props_exec, vendor_file_type, exec_type, file_type; - -init_daemon_domain(qemu_props) - -set_prop(qemu_props, qemu_prop) -# TODO(b/79502552): Invalid property access from emulator vendor -#set_prop(qemu_props, qemu_cmdline) -set_prop(qemu_props, qemu_cmdline) diff --git a/target/board/generic/sepolicy/radio.te b/target/board/generic/sepolicy/radio.te deleted file mode 100644 index 742d3b2d2..000000000 --- a/target/board/generic/sepolicy/radio.te +++ /dev/null @@ -1,3 +0,0 @@ -# Allow the radio to read these properties, they only have an SELinux label in -# the emulator. -get_prop(radio, net_eth0_prop); diff --git a/target/board/generic/sepolicy/rild.te b/target/board/generic/sepolicy/rild.te deleted file mode 100644 index ea183739a..000000000 --- a/target/board/generic/sepolicy/rild.te +++ /dev/null @@ -1,3 +0,0 @@ -# Allow rild to read these properties, they only have an SELinux label in the -# emulator. -get_prop(rild, net_eth0_prop); diff --git a/target/board/generic/sepolicy/shell.te b/target/board/generic/sepolicy/shell.te deleted file mode 100644 index b246d7e3c..000000000 --- a/target/board/generic/sepolicy/shell.te +++ /dev/null @@ -1 +0,0 @@ -allow shell serial_device:chr_file rw_file_perms; diff --git a/target/board/generic/sepolicy/surfaceflinger.te b/target/board/generic/sepolicy/surfaceflinger.te deleted file mode 100644 index 2bba8a78b..000000000 --- a/target/board/generic/sepolicy/surfaceflinger.te +++ /dev/null @@ -1,5 +0,0 @@ -allow surfaceflinger self:process execmem; -allow surfaceflinger ashmem_device:chr_file execute; - -typeattribute surfaceflinger system_writes_vendor_properties_violators; -set_prop(surfaceflinger, qemu_prop) diff --git a/target/board/generic/sepolicy/system_server.te b/target/board/generic/sepolicy/system_server.te deleted file mode 100644 index dd70b12dd..000000000 --- a/target/board/generic/sepolicy/system_server.te +++ /dev/null @@ -1 +0,0 @@ -get_prop(system_server, radio_noril_prop) diff --git a/target/board/generic/sepolicy/vendor_init.te b/target/board/generic/sepolicy/vendor_init.te deleted file mode 100644 index b18d3913f..000000000 --- a/target/board/generic/sepolicy/vendor_init.te +++ /dev/null @@ -1 +0,0 @@ -set_prop(vendor_init, qemu_prop) diff --git a/target/board/generic/sepolicy/vold.te b/target/board/generic/sepolicy/vold.te deleted file mode 100644 index 5f3bdd446..000000000 --- a/target/board/generic/sepolicy/vold.te +++ /dev/null @@ -1 +0,0 @@ -dontaudit vold kernel:system module_request; diff --git a/target/board/generic/sepolicy/zygote.te b/target/board/generic/sepolicy/zygote.te deleted file mode 100644 index da403b5dd..000000000 --- a/target/board/generic/sepolicy/zygote.te +++ /dev/null @@ -1,5 +0,0 @@ -typeattribute zygote system_writes_vendor_properties_violators; -set_prop(zygote, qemu_prop) -# TODO (b/63631799) fix this access -# Suppress denials to storage. Webview zygote should not be accessing. -dontaudit webview_zygote mnt_expand_file:dir getattr; diff --git a/target/board/generic_arm64/BoardConfig.mk b/target/board/generic_arm64/BoardConfig.mk index d4a85533d..0fa05e86c 100644 --- a/target/board/generic_arm64/BoardConfig.mk +++ b/target/board/generic_arm64/BoardConfig.mk @@ -94,7 +94,7 @@ BOARD_CACHEIMAGE_FILE_SYSTEM_TYPE := ext4 BOARD_CACHEIMAGE_PARTITION_SIZE := 16777216 BOARD_PROPERTY_OVERRIDES_SPLIT_ENABLED := true -BOARD_SEPOLICY_DIRS += build/target/board/generic/sepolicy +BOARD_SEPOLICY_DIRS += device/generic/goldfish/sepolicy/common # Android Verified Boot (AVB): # Builds a special vbmeta.img that disables AVB verification. diff --git a/target/board/generic_x86/BoardConfig.mk b/target/board/generic_x86/BoardConfig.mk index 5af7e5a92..684dfc7ef 100644 --- a/target/board/generic_x86/BoardConfig.mk +++ b/target/board/generic_x86/BoardConfig.mk @@ -67,8 +67,8 @@ BOARD_CACHEIMAGE_FILE_SYSTEM_TYPE := ext4 BOARD_CACHEIMAGE_PARTITION_SIZE := 16777216 BOARD_SEPOLICY_DIRS += \ - build/target/board/generic/sepolicy \ - build/target/board/generic_x86/sepolicy + device/generic/goldfish/sepolicy/common \ + device/generic/goldfish/sepolicy/x86 # Android Verified Boot (AVB): # Builds a special vbmeta.img that disables AVB verification. diff --git a/target/board/generic_x86/sepolicy/OWNERS b/target/board/generic_x86/sepolicy/OWNERS deleted file mode 100644 index 382898894..000000000 --- a/target/board/generic_x86/sepolicy/OWNERS +++ /dev/null @@ -1,4 +0,0 @@ -jeffv@google.com -dcashman@google.com -jbires@google.com -sspatil@google.com diff --git a/target/board/generic_x86/sepolicy/domain.te b/target/board/generic_x86/sepolicy/domain.te deleted file mode 100644 index 0bc8d871f..000000000 --- a/target/board/generic_x86/sepolicy/domain.te +++ /dev/null @@ -1 +0,0 @@ -allow domain cpuctl_device:dir search; diff --git a/target/board/generic_x86/sepolicy/healthd.te b/target/board/generic_x86/sepolicy/healthd.te deleted file mode 100644 index 95fa8079b..000000000 --- a/target/board/generic_x86/sepolicy/healthd.te +++ /dev/null @@ -1 +0,0 @@ -allow healthd self:capability sys_nice; diff --git a/target/board/generic_x86/sepolicy/init.te b/target/board/generic_x86/sepolicy/init.te deleted file mode 100644 index 3aa81d1b5..000000000 --- a/target/board/generic_x86/sepolicy/init.te +++ /dev/null @@ -1 +0,0 @@ -allow init tmpfs:lnk_file create_file_perms; diff --git a/target/board/generic_x86/sepolicy/installd.te b/target/board/generic_x86/sepolicy/installd.te deleted file mode 100644 index 7a558b129..000000000 --- a/target/board/generic_x86/sepolicy/installd.te +++ /dev/null @@ -1 +0,0 @@ -allow installd self:process execmem; diff --git a/target/board/generic_x86/sepolicy/zygote.te b/target/board/generic_x86/sepolicy/zygote.te deleted file mode 100644 index 93993a47f..000000000 --- a/target/board/generic_x86/sepolicy/zygote.te +++ /dev/null @@ -1,2 +0,0 @@ -allow zygote self:process execmem; -allow zygote self:capability sys_nice; diff --git a/target/board/generic_x86_64/BoardConfig.mk b/target/board/generic_x86_64/BoardConfig.mk index 81e325ea5..5bcb9adf9 100755 --- a/target/board/generic_x86_64/BoardConfig.mk +++ b/target/board/generic_x86_64/BoardConfig.mk @@ -65,8 +65,8 @@ BOARD_CACHEIMAGE_FILE_SYSTEM_TYPE := ext4 BOARD_CACHEIMAGE_PARTITION_SIZE := 16777216 BOARD_SEPOLICY_DIRS += \ - build/target/board/generic/sepolicy \ - build/target/board/generic_x86/sepolicy + device/generic/goldfish/sepolicy/common \ + device/generic/goldfish/sepolicy/x86 # Android Verified Boot (AVB): # Builds a special vbmeta.img that disables AVB verification. diff --git a/target/board/generic_x86_arm/BoardConfig.mk b/target/board/generic_x86_arm/BoardConfig.mk index 131c0014f..c66aacc84 100644 --- a/target/board/generic_x86_arm/BoardConfig.mk +++ b/target/board/generic_x86_arm/BoardConfig.mk @@ -61,4 +61,4 @@ BOARD_CACHEIMAGE_FILE_SYSTEM_TYPE := ext4 BOARD_FLASH_BLOCK_SIZE := 512 TARGET_USERIMAGES_SPARSE_EXT_DISABLED := true -BOARD_SEPOLICY_DIRS += build/target/board/generic/sepolicy +BOARD_SEPOLICY_DIRS += device/generic/goldfish/sepolicy/common