Move qemud and /dev/qemu policy bits to emulator-specific sepolicy.

Change-Id: I620d4aef84a5d4565abb1695db54ce1653612bce Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Move qemud and /dev/qemu policy bits to emulator-specific sepolicy.
0296b943 · Stephen Smalley · 2c347e0a · 0296b943 · 0296b943 · 0296b943
Commit 0296b943 authored 11 years ago by Stephen Smalley
--- a/adbd.te
+++ b/adbd.te
@@ -25,9 +25,6 @@ net_domain(adbd)
 # Access /dev/android_adb.
 allow adbd adb_device:chr_file rw_file_perms;

-# On emulator, access /dev/qemu*.
-allow adbd qemu_device:chr_file rw_file_perms;
-
 # Use a pseudo tty.
 allow adbd devpts:chr_file rw_file_perms;


--- a/device.te
+++ b/device.te
@@ -26,7 +26,6 @@ type mtd_device, dev_type;
 type mtp_device, dev_type, mlstrustedobject;
 type nfc_device, dev_type;
 type ptmx_device, dev_type, mlstrustedobject;
-type qemu_device, dev_type;
 type kmsg_device, dev_type;
 type null_device, dev_type, mlstrustedobject;
 type random_device, dev_type;

--- a/file.te
+++ b/file.te
@@ -118,7 +118,6 @@ type mdns_socket, file_type;
 type mdnsd_socket, file_type;
 type netd_socket, file_type;
 type property_socket, file_type;
-type qemud_socket, file_type;
 type racoon_socket, file_type;
 type rild_socket, file_type;
 type rild_debug_socket, file_type;

--- a/file_contexts
+++ b/file_contexts
@@ -65,7 +65,6 @@
 /dev/ppp		u:object_r:ppp_device:s0
 /dev/ptmx		u:object_r:ptmx_device:s0
 /dev/pvrsrvkm		u:object_r:gpu_device:s0
-/dev/qemu_.*		u:object_r:qemu_device:s0
 /dev/kmsg		u:object_r:kmsg_device:s0
 /dev/null		u:object_r:null_device:s0
 /dev/nvhdcp1		u:object_r:video_device:s0
@@ -88,7 +87,6 @@
 /dev/socket/mdnsd	u:object_r:mdnsd_socket:s0
 /dev/socket/netd	u:object_r:netd_socket:s0
 /dev/socket/property_service	u:object_r:property_socket:s0
-/dev/socket/qemud	u:object_r:qemud_socket:s0
 /dev/socket/racoon	u:object_r:racoon_socket:s0
 /dev/socket/rild	u:object_r:rild_socket:s0
 /dev/socket/rild-debug	u:object_r:rild_debug_socket:s0
@@ -136,7 +134,6 @@
 /system/bin/debuggerd	u:object_r:debuggerd_exec:s0
 /system/bin/debuggerd64	u:object_r:debuggerd_exec:s0
 /system/bin/wpa_supplicant	u:object_r:wpa_exec:s0
-/system/bin/qemud	u:object_r:qemud_exec:s0
 /system/bin/sdcard      u:object_r:sdcardd_exec:s0
 /system/bin/dhcpcd      u:object_r:dhcp_exec:s0
 /system/bin/mtpd	u:object_r:mtp_exec:s0
@@ -215,7 +212,6 @@
 #############################
 # sysfs files
 #
-/sys/qemu_trace(/.*)?	--	u:object_r:sysfs_writable:s0
 /sys/devices/platform/nfc-power/nfc_power -- u:object_r:sysfs_nfc_power_writable:s0
 /sys/devices/system/cpu(/.*)?    u:object_r:sysfs_devices_system_cpu:s0
 /sys/power/wake_lock -- u:object_r:sysfs_wake_lock:s0

--- a/mediaserver.te
+++ b/mediaserver.te
@@ -28,7 +28,6 @@ allow mediaserver { gpu_device graphics_device }:chr_file rw_file_perms;
 allow mediaserver video_device:dir r_dir_perms;
 allow mediaserver video_device:chr_file rw_file_perms;
 allow mediaserver audio_device:dir r_dir_perms;
-allow mediaserver qemu_device:chr_file rw_file_perms;
 allow mediaserver tee_device:chr_file rw_file_perms;
 allow mediaserver audio_prop:property_service set;


--- a/qemud.te
+++ b/qemud.te
-# qemu support daemon
-type qemud, domain;
-type qemud_exec, exec_type, file_type;
-
-init_daemon_domain(qemud)
-unconfined_domain(qemud)
\ No newline at end of file
--- a/rild.te
+++ b/rild.te
@@ -8,13 +8,11 @@ net_domain(rild)
 allow rild self:netlink_route_socket nlmsg_write;
 allow rild kernel:system module_request;
 unix_socket_connect(rild, property, init)
-unix_socket_connect(rild, qemud, qemud)
 allow rild self:capability { setuid net_admin net_raw };
 allow rild alarm_device:chr_file rw_file_perms;
 allow rild cgroup:dir create_dir_perms;
 allow rild radio_device:chr_file rw_file_perms;
 allow rild radio_device:blk_file r_file_perms;
-allow rild qemu_device:chr_file rw_file_perms;
 allow rild mtd_device:dir search;
 allow rild efs_file:dir create_dir_perms;
 allow rild efs_file:file create_file_perms;

--- a/system_server.te
+++ b/system_server.te
@@ -81,7 +81,6 @@ allow system_server init:process sigchld;

 # Talk to init and various daemons via sockets.
 unix_socket_connect(system_server, property, init)
-unix_socket_connect(system_server, qemud, qemud)
 unix_socket_connect(system_server, installd, installd)
 unix_socket_connect(system_server, lmkd, lmkd)
 unix_socket_connect(system_server, netd, netd)
@@ -130,7 +129,6 @@ allow system_server urandom_device:chr_file rw_file_perms;
 allow system_server usbaccessory_device:chr_file rw_file_perms;
 allow system_server video_device:dir r_dir_perms;
 allow system_server video_device:chr_file rw_file_perms;
-allow system_server qemu_device:chr_file rw_file_perms;
 allow system_server adbd_socket:sock_file rw_file_perms;

 # tun device used for 3rd party vpn apps