From 41b21ee96a94e286e6c308ff03c49b0f14d66e99 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Mon, 6 Aug 2018 12:36:20 -0700
Subject: [PATCH] Delete untrusted_v2_app

As of https://android-review.googlesource.com/c/platform/system/sepolicy/+/536356 ,
the untrusted_v2_app domain is no longer used.

Bug: 112233317
Test: policy compiles, device boots, and no problems
Change-Id: I5a47c8305bef374b7fea06cd789e06cd48b847e6
---
 private/app_neverallows.te     |  1 -
 private/compat/26.0/26.0.cil   |  1 +
 private/compat/27.0/27.0.cil   |  3 ++-
 private/compat/28.0/28.0.cil   |  1 +
 private/untrusted_app_all.te   |  5 ++--
 private/untrusted_v2_app.te    | 47 ----------------------------------
 public/app.te                  | 14 +++++-----
 public/untrusted_v2_app.te     |  5 ----
 tests/treble_sepolicy_tests.py |  1 -
 9 files changed, 13 insertions(+), 65 deletions(-)
 delete mode 100644 private/untrusted_v2_app.te
 delete mode 100644 public/untrusted_v2_app.te

diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 31551acc4..23594b826 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -10,7 +10,6 @@ define(`all_untrusted_apps',`{
   untrusted_app_25
   untrusted_app_27
   untrusted_app_all
-  untrusted_v2_app
 }')
 # Receive or send uevent messages.
 neverallow all_untrusted_apps domain:netlink_kobject_uevent_socket *;
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 085948a56..cad7123ba 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -4,6 +4,7 @@
 (typeattribute hal_wifi_keystore_server)
 
 ;; types removed from current policy
+(type untrusted_v2_app)
 (type asan_reboot_prop)
 (type commontime_management_service)
 (type log_device)
diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil
index fcf4561c0..d99b499be 100644
--- a/private/compat/27.0/27.0.cil
+++ b/private/compat/27.0/27.0.cil
@@ -1,10 +1,11 @@
 ;; types removed from current policy
 (type commontime_management_service)
-(type qtaguid_proc)
 (type mediacodec)
 (type mediacodec_exec)
+(type qtaguid_proc)
 (type reboot_data_file)
 (type rild)
+(type untrusted_v2_app)
 (type webview_zygote_socket)
 (type vold_socket)
 (type thermalcallback_hwservice)
diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil
index 054cca268..c69a1111e 100644
--- a/private/compat/28.0/28.0.cil
+++ b/private/compat/28.0/28.0.cil
@@ -4,6 +4,7 @@
 (type mediacodec_exec)
 (type qtaguid_proc)
 (type thermalcallback_hwservice)
+(type untrusted_v2_app)
 
 ;; TODO: remove once P sepolicy is pushed to AOSP.
 (type vold_socket)
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 65be583a7..11cea6ea2 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -2,8 +2,7 @@
 ### Untrusted_app_all.
 ###
 ### This file defines the rules shared by all untrusted app domains except
-### apps which target the v2 security sandbox (ephemeral_app for instant apps,
-### untrusted_v2_app for fully installed v2 apps).
+### ephemeral_app for instant apps.
 ### Apps are labeled based on mac_permissions.xml (maps signer and
 ### optionally package name to seinfo value) and seapp_contexts (maps UID
 ### and optionally seinfo value to domain for process and type for data
@@ -19,7 +18,7 @@
 ### seapp_contexts.
 ###
 ### Note that rules that should apply to all untrusted apps must be in app.te or also
-### added to untrusted_v2_app.te and ephemeral_app.te.
+### added to ephemeral_app.te.
 
 # Some apps ship with shared libraries and binaries that they write out
 # to their sandbox directory and then execute.
diff --git a/private/untrusted_v2_app.te b/private/untrusted_v2_app.te
deleted file mode 100644
index 8f4bceb2c..000000000
--- a/private/untrusted_v2_app.te
+++ /dev/null
@@ -1,47 +0,0 @@
-###
-### Untrusted v2 sandbox apps.
-###
-
-typeattribute untrusted_v2_app coredomain;
-
-app_domain(untrusted_v2_app)
-net_domain(untrusted_v2_app)
-bluetooth_domain(untrusted_v2_app)
-
-# Read and write system app data files passed over Binder.
-# Motivating case was /data/data/com.android.settings/cache/*.jpg for
-# cropping or taking user photos.
-allow untrusted_v2_app system_app_data_file:file { read write getattr };
-
-# Access to /data/media.
-allow untrusted_v2_app media_rw_data_file:dir create_dir_perms;
-allow untrusted_v2_app media_rw_data_file:file create_file_perms;
-
-# Traverse into /mnt/media_rw for bypassing FUSE daemon
-# TODO: narrow this to just MediaProvider
-allow untrusted_v2_app mnt_media_rw_file:dir search;
-
-# allow cts to query all services
-allow untrusted_v2_app servicemanager:service_manager list;
-
-allow untrusted_v2_app audioserver_service:service_manager find;
-allow untrusted_v2_app cameraserver_service:service_manager find;
-allow untrusted_v2_app drmserver_service:service_manager find;
-allow untrusted_v2_app mediaserver_service:service_manager find;
-allow untrusted_v2_app mediaextractor_service:service_manager find;
-allow untrusted_v2_app mediacodec_service:service_manager find;
-allow untrusted_v2_app mediametrics_service:service_manager find;
-allow untrusted_v2_app mediadrmserver_service:service_manager find;
-allow untrusted_v2_app nfc_service:service_manager find;
-allow untrusted_v2_app radio_service:service_manager find;
-# TODO: potentially provide a tighter list of services here
-allow untrusted_v2_app app_api_service:service_manager find;
-
-# gdbserver for ndk-gdb ptrace attaches to app process.
-allow untrusted_v2_app self:process ptrace;
-
-# Write app-specific trace data to the Perfetto traced damon. This requires
-# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-allow untrusted_v2_app traced:fd use;
-allow untrusted_v2_app traced_tmpfs:file { read write getattr map };
-unix_socket_connect(untrusted_v2_app, traced_producer, traced)
diff --git a/public/app.te b/public/app.te
index bc4ad611e..12a9b81c5 100644
--- a/public/app.te
+++ b/public/app.te
@@ -85,10 +85,10 @@ allow appdomain oemfs:dir r_dir_perms;
 allow appdomain oemfs:file rx_file_perms;
 
 # Execute the shell or other system executables.
-allow { appdomain -ephemeral_app -untrusted_v2_app } shell_exec:file rx_file_perms;
-allow { appdomain -ephemeral_app -untrusted_v2_app } toolbox_exec:file rx_file_perms;
-allow { appdomain -untrusted_v2_app } system_file:file x_file_perms;
-not_full_treble(`allow { appdomain -ephemeral_app -untrusted_v2_app } vendor_file:file x_file_perms;')
+allow { appdomain -ephemeral_app } shell_exec:file rx_file_perms;
+allow { appdomain -ephemeral_app } toolbox_exec:file rx_file_perms;
+allow appdomain system_file:file x_file_perms;
+not_full_treble(`allow { appdomain -ephemeral_app } vendor_file:file x_file_perms;')
 
 # Renderscript needs the ability to read directories on /system
 allow appdomain system_file:dir r_dir_perms;
@@ -106,8 +106,8 @@ full_treble_only(`
 
 # Allow apps access to /vendor/app except for privileged
 # apps which cannot be in /vendor.
-r_dir_file({ appdomain -ephemeral_app -untrusted_v2_app }, vendor_app_file)
-allow { appdomain -ephemeral_app -untrusted_v2_app } vendor_app_file:file execute;
+r_dir_file({ appdomain -ephemeral_app }, vendor_app_file)
+allow { appdomain -ephemeral_app } vendor_app_file:file execute;
 
 # Allow apps access to /vendor/overlay
 r_dir_file(appdomain, vendor_overlay_file)
@@ -285,7 +285,7 @@ allow appdomain resourcecache_data_file:dir r_dir_perms;
 
 # logd access
 read_logd(appdomain)
-control_logd({ appdomain -ephemeral_app untrusted_v2_app })
+control_logd({ appdomain -ephemeral_app })
 # application inherit logd write socket (urge is to deprecate this long term)
 allow appdomain zygote:unix_dgram_socket write;
 
diff --git a/public/untrusted_v2_app.te b/public/untrusted_v2_app.te
deleted file mode 100644
index ac82f1531..000000000
--- a/public/untrusted_v2_app.te
+++ /dev/null
@@ -1,5 +0,0 @@
-###
-### Untrusted v2 sandbox apps.
-###
-
-type untrusted_v2_app, domain;
diff --git a/tests/treble_sepolicy_tests.py b/tests/treble_sepolicy_tests.py
index cfa8ef9c8..6e9eb6ad2 100644
--- a/tests/treble_sepolicy_tests.py
+++ b/tests/treble_sepolicy_tests.py
@@ -29,7 +29,6 @@ coreAppdomain = {
         'system_app',
         'untrusted_app',
         'untrusted_app_25',
-        'untrusted_v2_app',
         }
 coredomainWhitelist = {
         'adbd',
-- 
GitLab