From 2740a3d10005acf73fc114692f33ec2e436db072 Mon Sep 17 00:00:00 2001
From: Jeff Sharkey <jsharkey@android.com>
Date: Mon, 18 Sep 2017 16:00:20 -0600
Subject: [PATCH] Destroy vold socket interface completely.

Long live Binder.

Test: yes
Bug: 13758960
Change-Id: I11da7f14862024d9e9b901cfac1f22f1147174fa
---
 private/app.te               |  1 -
 private/compat/26.0/26.0.cil |  1 +
 private/file_contexts        |  2 --
 private/system_server.te     |  1 -
 public/file.te               |  1 -
 public/init.te               |  2 --
 public/vdc.te                | 16 ----------------
 7 files changed, 1 insertion(+), 23 deletions(-)

diff --git a/private/app.te b/private/app.te
index 70b42b9bd..c978306d7 100644
--- a/private/app.te
+++ b/private/app.te
@@ -396,7 +396,6 @@ neverallow appdomain socket_device:sock_file write;
 # Unix domain sockets.
 neverallow appdomain adbd_socket:sock_file write;
 neverallow { appdomain -radio } rild_socket:sock_file write;
-neverallow appdomain vold_socket:sock_file write;
 neverallow appdomain zygote_socket:sock_file write;
 
 # ptrace access to non-app domains.
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 9f1643b8d..c847a2f39 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -9,6 +9,7 @@
 (type mediacasserver_service)
 (type tracing_shell_writable)
 (type tracing_shell_writable_debug)
+(type vold_socket)
 
 (typeattributeset accessibility_service_26_0 (accessibility_service))
 (typeattributeset account_service_26_0 (account_service))
diff --git a/private/file_contexts b/private/file_contexts
index ffc601cc5..5a9c9d04f 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -118,7 +118,6 @@
 /dev/snd/audio_seq_device	u:object_r:audio_seq_device:s0
 /dev/socket(/.*)?	u:object_r:socket_device:s0
 /dev/socket/adbd	u:object_r:adbd_socket:s0
-/dev/socket/cryptd	u:object_r:vold_socket:s0
 /dev/socket/dnsproxyd	u:object_r:dnsproxyd_socket:s0
 /dev/socket/dumpstate	u:object_r:dumpstate_socket:s0
 /dev/socket/fwmarkd	u:object_r:fwmarkd_socket:s0
@@ -147,7 +146,6 @@
 /dev/socket/tombstoned_java_trace u:object_r:tombstoned_java_trace_socket:s0
 /dev/socket/tombstoned_intercept u:object_r:tombstoned_intercept_socket:s0
 /dev/socket/uncrypt	u:object_r:uncrypt_socket:s0
-/dev/socket/vold	u:object_r:vold_socket:s0
 /dev/socket/webview_zygote	u:object_r:webview_zygote_socket:s0
 /dev/socket/wpa_eth[0-9] u:object_r:wpa_socket:s0
 /dev/socket/wpa_wlan[0-9] u:object_r:wpa_socket:s0
diff --git a/private/system_server.te b/private/system_server.te
index 109587e28..e49385740 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -159,7 +159,6 @@ allow system_server self:tun_socket create_socket_perms_no_ioctl;
 unix_socket_connect(system_server, lmkd, lmkd)
 unix_socket_connect(system_server, mtpd, mtp)
 unix_socket_connect(system_server, netd, netd)
-unix_socket_connect(system_server, vold, vold)
 unix_socket_connect(system_server, webview_zygote, webview_zygote)
 unix_socket_connect(system_server, zygote, zygote)
 unix_socket_connect(system_server, racoon, racoon)
diff --git a/public/file.te b/public/file.te
index b49ff78b7..f3d3dfda6 100644
--- a/public/file.te
+++ b/public/file.te
@@ -277,7 +277,6 @@ type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject;
 type tombstoned_java_trace_socket, file_type, mlstrustedobject;
 type tombstoned_intercept_socket, file_type, coredomain_socket;
 type uncrypt_socket, file_type, coredomain_socket;
-type vold_socket, file_type, coredomain_socket;
 type webview_zygote_socket, file_type, coredomain_socket;
 type wpa_socket, file_type, data_file_type;
 type zygote_socket, file_type, coredomain_socket;
diff --git a/public/init.te b/public/init.te
index f317877c2..9c2bea74e 100644
--- a/public/init.te
+++ b/public/init.te
@@ -395,8 +395,6 @@ allow init unencrypted_data_file:dir create_dir_perms;
 # Allow init to write to /proc/sys/vm/overcommit_memory
 allow init proc_overcommit_memory:file { write };
 
-unix_socket_connect(init, vold, vold)
-
 # Raw writes to misc block device
 allow init misc_block_device:blk_file w_file_perms;
 
diff --git a/public/vdc.te b/public/vdc.te
index 75a5d1b8a..424bdea02 100644
--- a/public/vdc.te
+++ b/public/vdc.te
@@ -8,22 +8,6 @@
 type vdc, domain;
 type vdc_exec, exec_type, file_type;
 
-# TODO: remove as part of 13758960
-unix_socket_connect(vdc, vold, vold)
-
-# vdc sends information back to dumpstate when "adb bugreport" is used
-# TODO: remove as part of 13758960
-allow vdc dumpstate:fd use;
-allow vdc dumpstate:unix_stream_socket { read write getattr };
-
-# vdc information is written to shell owned bugreport files
-# TODO: remove as part of 13758960
-allow vdc shell_data_file:file { write getattr };
-
-# Why?
-# TODO: remove as part of 13758960
-allow vdc dumpstate:unix_dgram_socket { read write };
-
 # vdc can be invoked with logwrapper, so let it write to pty
 allow vdc devpts:chr_file rw_file_perms;
 
-- 
GitLab