From 83a06805f06fa4af10fd1c655932b508e1ebe0a9 Mon Sep 17 00:00:00 2001
From: Tobias Thierer <tobiast@google.com>
Date: Thu, 2 Nov 2017 15:13:43 +0000
Subject: [PATCH] Revert "Neverallow coredomain to kernel interface files."

This reverts commit 502e43f7d9f8ed2ccdd0c2d2c7aa2bc84d9c02e7.

Reason for revert: Suspected to have broken a build, see b/68792382

Bug: 68792382
Change-Id: Ib5d465b7a50a73e3d8d8edd4e6b3426a7bde4249
---
 private/domain.te | 116 ----------------------------------------------
 1 file changed, 116 deletions(-)

diff --git a/private/domain.te b/private/domain.te
index b80064e46..d37a0bd26 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -16,119 +16,3 @@ neverallow {
 
 # Limit ability to generate hardware unique device ID attestations to priv_apps
 neverallow { domain -priv_app } *:keystore_key gen_unique_id;
-
-# Core domains are not permitted to use kernel interfaces which are not
-# explicitly labeled.
-# TODO(b/65643247): Apply these neverallow rules to all coredomain.
-full_treble_only(`
-  # /proc
-  neverallow {
-    coredomain
-    -dumpstate
-    -init
-    -platform_app
-    -priv_app
-    -radio
-    -shell
-    -system_app
-    -vold
-    -vendor_init
-  } proc:file no_rw_file_perms;
-
-  # /sys
-  neverallow {
-    coredomain
-    -charger
-    -dumpstate
-    -healthd
-    -init
-    -mediaserver
-    -priv_app
-    -radio
-    -storaged
-    -system_app
-    -system_server
-    -ueventd
-    -update_verifier
-    -vold
-    -vendor_init
-  } sysfs:file no_rw_file_perms;
-
-  # /dev
-  neverallow {
-    coredomain
-    -fsck
-    -init
-    -shell
-    -ueventd
-    -vendor_init
-  } device:{ blk_file file } no_rw_file_perms;
-
-  # debugfs
-  neverallow {
-    coredomain
-    -dumpstate
-    -init
-    -system_server
-    -vendor_init
-  } debugfs:file no_rw_file_perms;
-
-  # tracefs
-  neverallow {
-    coredomain
-    -atrace
-    -dumpstate
-    -init
-    -perfprofd
-    -shell
-    -vendor_init
-  } debugfs_tracing:file no_rw_file_perms;
-
-  # inotifyfs
-  neverallow {
-    coredomain
-    -init
-    -vendor_init
-  } inotify:file no_rw_file_perms;
-
-  # pstorefs
-  neverallow {
-    coredomain
-    -bootstat
-    -charger
-    -dumpstate
-    -healthd
-    -init
-    -logd
-    -logpersist
-    -recovery_persist
-    -recovery_refresh
-    -shell
-    -system_server
-    -vendor_init
-  } pstorefs:file no_rw_file_perms;
-
-  # configfs
-  neverallow {
-    coredomain
-    -init
-    -system_server
-    -vendor_init
-  } configfs:file no_rw_file_perms;
-
-  # functionfs
-  neverallow {
-    coredomain
-    -adbd
-    -init
-    -mediaprovider
-    -vendor_init
-  }functionfs:file no_rw_file_perms;
-
-  # usbfs and binfmt_miscfs
-  neverallow {
-    coredomain
-    -init
-    -vendor_init
-  }{ usbfs binfmt_miscfs }:file no_rw_file_perms;
-')
-- 
GitLab