From 05bc716503c1a07319ab7f2ef54b6034d50fb53e Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Fri, 5 May 2017 13:37:34 -0700
Subject: [PATCH] Drop fuse_device neverallow rules

The fuse_device neverallow rules are too aggressive and are inhibiting
certain vendor customizations. Drop them for CTS purposes.

These neverallow rules have been changed in master (see commit
45766d4178e443b29fee8cd9c8917847ea3a4cf1), but we're not attempting to
backport that change to avoid introducing new neverallow statements.

Bug: 37496487
Test: compile time assertion removal only. No device changes.
Change-Id: I2fc7d944bf91c2295d53cd41fb0d0aa73627f482
---
 domain.te | 19 -------------------
 1 file changed, 19 deletions(-)

diff --git a/domain.te b/domain.te
index 023eac303..3c7d596f8 100644
--- a/domain.te
+++ b/domain.te
@@ -572,25 +572,6 @@ neverallow * domain:file { execute execute_no_trans entrypoint };
 # TODO: fix system_server and dumpstate
 neverallow { domain -init -system_server -dumpstate } debugfs:file no_rw_file_perms;
 
-neverallow {
-  domain
-  -init
-  -recovery
-  -sdcardd
-  -vold
-} fuse_device:chr_file open;
-neverallow {
-  domain
-  -dumpstate
-  -init
-  -priv_app
-  -recovery
-  -sdcardd
-  -system_server
-  -ueventd
-  -vold
-} fuse_device:chr_file *;
-
 # Profiles contain untrusted data and profman parses that. We should only run
 # in from installd forked processes.
 neverallow {
-- 
GitLab