From 10b250df24f96cf439025233d5bfa9ace1b5654b Mon Sep 17 00:00:00 2001
From: Pavel Grafov <pgrafov@google.com>
Date: Fri, 19 Oct 2018 11:06:08 +0000
Subject: [PATCH] Revert "Neverallow vendor code access to files on /system."

This reverts commit c855629ebd42e4aba64dea0a8a95fc5c465b911e.

Reason for revert: breaks builds for some devices in master

Change-Id: I02c0967d6607ef0173b4188c06d2e781c3c93f4b
---
 public/domain.te | 43 +++++++++++++------------------------------
 1 file changed, 13 insertions(+), 30 deletions(-)

diff --git a/public/domain.te b/public/domain.te
index fefca843b..edcc49880 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1091,10 +1091,9 @@ full_treble_only(`
         -vendor_executes_system_violators
         -vendor_init
     } {
-        system_file_type
-        -system_file # TODO(b/111243627): remove once Treble violations are fixed.
-        -system_lib_file
+        exec_type
         -system_linker_exec
+        -vendor_file_type
         -crash_dump_exec
         -netutils_wrapper_exec
         userdebug_or_eng(`-tcpdump_exec')
@@ -1157,33 +1156,17 @@ full_treble_only(`
   }:file *;
 ')
 
-full_treble_only(`
-  # Do not allow vendor components access to /system files except for the
-  # ones whitelisted here.
-  neverallow {
-    domain
-    -appdomain
-    -coredomain
-    -vendor_executes_system_violators
-    # vendor_init needs access to init_exec for domain transition. vendor_init
-    # neverallows are covered in public/vendor_init.te
-    -vendor_init
-  } {
-    system_file_type
-    -system_file # TODO(b/111243627): remove once Treble violations are fixed.
-    -crash_dump_exec
-    -file_contexts_file
-    -netutils_wrapper_exec
-    -property_contexts_file
-    -system_lib_file
-    -system_linker_exec
-    -system_linker_config_file
-    -system_seccomp_policy_file
-    -system_security_cacerts_file
-    -system_zoneinfo_file
-    userdebug_or_eng(`-tcpdump_exec')
-  }:file *;
-')
+# TODO(b/111243627): Uncomment once all violations are cleaned up.
+#full_treble_only(`
+#  # Do not allow vendor components access to /system files except for the
+#  # ones whitelisted here.
+#  neverallow {
+#    domain
+#    -appdomain
+#    -coredomain
+#    -vendor_executes_system_violators
+#  } system_file_type:file *;
+#')
 
 # Only authorized processes should be writing to files in /data/dalvik-cache
 neverallow {
-- 
GitLab