From b805adaa16856de865712ca40ba7e232228e2f3f Mon Sep 17 00:00:00 2001 From: Tri Vo <trong@google.com> Date: Fri, 9 Nov 2018 14:13:58 -0800 Subject: [PATCH] Remove dead *_device types from system sepolicy. No coredomain domain has access to these types and corresponding /dev nodes don't exist on the device: audio_seq_device audio_timer_device full_device i2c_device vcs_device Bug: 110962171 Test: m selinux_policy Test: boot walleye Change-Id: I89ad4755e6760aa166cb22e2655567e5905dc672 --- private/compat/28.0/28.0.cil | 5 +++++ private/file_contexts | 5 ----- public/device.te | 5 ----- 3 files changed, 5 insertions(+), 10 deletions(-) diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil index e76bc2d6d..8bb849a7a 100644 --- a/private/compat/28.0/28.0.cil +++ b/private/compat/28.0/28.0.cil @@ -1,10 +1,15 @@ ;; types removed from current policy +(type audio_seq_device) +(type audio_timer_device) (type commontime_management_service) +(type full_device) +(type i2c_device) (type mediacodec) (type mediacodec_exec) (type qtaguid_proc) (type thermalcallback_hwservice) (type untrusted_v2_app) +(type vcs_device) ;; Public 28.0 SEPolicy is divergent on different devices w.r.t ;; exported_audio_prop type. We need this typeattribute declaration so that the diff --git a/private/file_contexts b/private/file_contexts index 3284b6841..571b47cc1 100644 --- a/private/file_contexts +++ b/private/file_contexts @@ -90,12 +90,10 @@ /dev/eac u:object_r:audio_device:s0 /dev/event-log-tags u:object_r:runtime_event_log_tags_file:s0 /dev/fscklogs(/.*)? u:object_r:fscklogs:s0 -/dev/full u:object_r:full_device:s0 /dev/fuse u:object_r:fuse_device:s0 /dev/graphics(/.*)? u:object_r:graphics_device:s0 /dev/hw_random u:object_r:hw_random_device:s0 /dev/hwbinder u:object_r:hwbinder_device:s0 -/dev/i2c-[0-9]+ u:object_r:i2c_device:s0 /dev/input(/.*)? u:object_r:input_device:s0 /dev/iio:device[0-9]+ u:object_r:iio_device:s0 /dev/ion u:object_r:ion_device:s0 @@ -121,8 +119,6 @@ /dev/rproc_user u:object_r:rpmsg_device:s0 /dev/rtc[0-9] u:object_r:rtc_device:s0 /dev/snd(/.*)? u:object_r:audio_device:s0 -/dev/snd/audio_timer_device u:object_r:audio_timer_device:s0 -/dev/snd/audio_seq_device u:object_r:audio_seq_device:s0 /dev/socket(/.*)? u:object_r:socket_device:s0 /dev/socket/adbd u:object_r:adbd_socket:s0 /dev/socket/dnsproxyd u:object_r:dnsproxyd_socket:s0 @@ -173,7 +169,6 @@ /dev/urandom u:object_r:random_device:s0 /dev/usb_accessory u:object_r:usbaccessory_device:s0 /dev/v4l-touch[0-9]* u:object_r:input_device:s0 -/dev/vcs[0-9a-z]* u:object_r:vcs_device:s0 /dev/video[0-9]* u:object_r:video_device:s0 /dev/vndbinder u:object_r:vndbinder_device:s0 /dev/watchdog u:object_r:watchdog_device:s0 diff --git a/public/device.te b/public/device.te index 1ab08b470..7e18095d0 100644 --- a/public/device.te +++ b/public/device.te @@ -3,8 +3,6 @@ type device, dev_type, fs_type; type alarm_device, dev_type, mlstrustedobject; type ashmem_device, dev_type, mlstrustedobject; type audio_device, dev_type; -type audio_timer_device, dev_type; -type audio_seq_device, dev_type; type binder_device, dev_type, mlstrustedobject; type hwbinder_device, dev_type, mlstrustedobject; type vndbinder_device, dev_type; @@ -22,7 +20,6 @@ type vold_device, dev_type; type console_device, dev_type; type cpuctl_device, dev_type; type fscklogs, dev_type; -type full_device, dev_type; # GPU (used by most UI apps) type gpu_device, dev_type, mlstrustedobject; type graphics_device, dev_type; @@ -46,7 +43,6 @@ type socket_device, dev_type; type owntty_device, dev_type, mlstrustedobject; type tty_device, dev_type; type video_device, dev_type; -type vcs_device, dev_type; type zero_device, dev_type, mlstrustedobject; type fuse_device, dev_type, mlstrustedobject; type iio_device, dev_type; @@ -61,7 +57,6 @@ type usb_device, dev_type, mlstrustedobject; type properties_device, dev_type; type properties_serial, dev_type; type property_info, dev_type; -type i2c_device, dev_type; # All devices have a uart for the hci # attach service. The uart dev node -- GitLab