Leftovers of SELinux policy reload mechanism

Remove references to /data/security and the corresponding
type securitly_file.

Bug: 26544104
Change-Id: Iac00c293daa6b781a24c2bd4c12168dfb1cceac6

14 files changed, 9 insertions, 76 deletions

diff --git a/app.te b/app.te
index 37f2bc2..a91d75a 100644
--- a/app.te
+++ b/app.te
@@ -405,6 +405,5 @@ neverallow appdomain {
   dev_type
   rootfs
   system_file
-  security_file
   tmpfs
 }:lnk_file no_w_file_perms;
diff --git a/debuggerd.te b/debuggerd.te
index 127b793..04dcb79 100644
--- a/debuggerd.te
+++ b/debuggerd.te
@@ -10,7 +10,6 @@ allow debuggerd domain:dir r_dir_perms;
 allow debuggerd domain:file r_file_perms;
 allow debuggerd domain:lnk_file read;
 allow debuggerd { domain -init -ueventd -watchdogd -healthd -adbd -keystore }:process { ptrace getattr };
-security_access_policy(debuggerd)
 allow debuggerd tombstone_data_file:dir rw_dir_perms;
 allow debuggerd tombstone_data_file:file create_file_perms;
 allow debuggerd shared_relro_file:dir r_dir_perms;
diff --git a/domain.te b/domain.te
index c876c84..5d5f7a2 100644
--- a/domain.te
+++ b/domain.te
@@ -176,28 +176,12 @@ neverallow * self:capability2 mac_override;
 # Only recovery needs mac_admin to set contexts not defined in current policy.
 neverallow { domain -recovery } self:capability2 mac_admin;
 
-# Only init should be able to load SELinux policies.
-# The first load technically occurs while still in the kernel domain,
-# but this does not trigger a denial since there is no policy yet.
-# Policy reload requires allowing this to the init domain.
-neverallow { domain -init } kernel:security load_policy;
-
-# Only init and the system_server can set selinux.reload_policy 1
-# to trigger a policy reload.
-neverallow { domain -init -system_server } security_prop:property_service set;
+# Once the policy has been loaded there shall be none to modify the policy.
+# It is sealed.
+neverallow * kernel:security load_policy;
 
-# Only init and system_server can write to /data/security, where runtime
-# policy updates live.
-# Only init can relabel /data/security (for init.rc restorecon_recursive /data).
-neverallow { domain -init } security_file:{ dir file lnk_file } { relabelfrom relabelto };
-# Only init and system_server can create/setattr directories with this type.
-# init is for init.rc mkdir /data/security.
-# system_server is for creating subdirectories under /data/security.
-neverallow { domain -init -system_server } security_file:dir { create setattr };
-# Only system_server can create subdirectories and files under /data/security.
-neverallow { domain -system_server } security_file:dir { rename write add_name remove_name rmdir };
-neverallow { domain -system_server } security_file:file { create setattr write append unlink link rename };
-neverallow { domain -system_server } security_file:lnk_file { create setattr unlink rename };
+# Only init and the system_server shall use the property_service.
+neverallow { domain -init -system_server } security_prop:property_service set;
 
 # Only init prior to switching context should be able to set enforcing mode.
 # init starts in kernel domain and switches to init domain via setcon in
diff --git a/domain_deprecated.te b/domain_deprecated.te
index 4da7a31..88b62bd 100644
--- a/domain_deprecated.te
+++ b/domain_deprecated.te
@@ -64,11 +64,6 @@ r_dir_file(domain_deprecated, proc_net)
 allow domain_deprecated selinuxfs:dir r_dir_perms;
 allow domain_deprecated selinuxfs:file r_file_perms;
 
-# /data/security files
-allow domain_deprecated security_file:dir { search getattr };
-allow domain_deprecated security_file:file getattr;
-allow domain_deprecated security_file:lnk_file r_file_perms;
-
 # World readable asec image contents
 allow domain_deprecated asec_public_file:file r_file_perms;
 allow domain_deprecated { asec_public_file asec_apk_file }:dir r_dir_perms;
diff --git a/file.te b/file.te
index a2963a5..2dcce5a 100644
--- a/file.te
+++ b/file.te
@@ -168,8 +168,6 @@ type asec_public_file, file_type, data_file_type;
 type asec_image_file, file_type, data_file_type;
 # /data/backup and /data/secure/backup
 type backup_data_file, file_type, data_file_type, mlstrustedobject;
-# For /data/security
-type security_file, file_type;
 # All devices have bluetooth efs files. But they
 # vary per device, so this type is used in per
 # device policy
diff --git a/file_contexts b/file_contexts
index d98f25d..c06fcbd 100644
--- a/file_contexts
+++ b/file_contexts
@@ -229,7 +229,6 @@
 /data/unencrypted(/.*)?         u:object_r:unencrypted_data_file:s0
 /data/backup(/.*)?		u:object_r:backup_data_file:s0
 /data/secure/backup(/.*)?	u:object_r:backup_data_file:s0
-/data/security(/.*)?	u:object_r:security_file:s0
 /data/system/ndebugsocket	u:object_r:system_ndebug_socket:s0
 /data/drm(/.*)?		u:object_r:drm_data_file:s0
 /data/gps(/.*)?		u:object_r:gps_data_file:s0
diff --git a/init.te b/init.te
index 047ea73..2d070de 100644
--- a/init.te
+++ b/init.te
@@ -99,10 +99,10 @@ allow init rootfs:{ dir file } relabelfrom;
 # we just allow all file types except /system files here.
 allow init self:capability { chown fowner fsetid };
 allow init {file_type -system_file -exec_type -app_data_file}:dir { create search getattr open read setattr ioctl };
-allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:dir { write add_name remove_name rmdir relabelfrom };
-allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file -misc_logd_file }:file { create getattr open read write setattr relabelfrom unlink };
-allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
-allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:lnk_file { create getattr setattr relabelfrom unlink };
+allow init {file_type -system_file -exec_type -keystore_data_file -app_data_file -shell_data_file -vold_data_file}:dir { write add_name remove_name rmdir relabelfrom };
+allow init {file_type -system_file -exec_type -keystore_data_file -app_data_file -shell_data_file -vold_data_file -misc_logd_file }:file { create getattr open read write setattr relabelfrom unlink };
+allow init {file_type -system_file -exec_type -keystore_data_file -app_data_file -shell_data_file -vold_data_file}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
+allow init {file_type -system_file -exec_type -keystore_data_file -app_data_file -shell_data_file -vold_data_file}:lnk_file { create getattr setattr relabelfrom unlink };
 allow init {file_type -system_file -exec_type}:dir_file_class_set relabelto;
 allow init { sysfs debugfs }:{ dir file lnk_file } { getattr relabelfrom };
 allow init { sysfs_type debugfs_type }:{ dir file lnk_file } relabelto;
@@ -123,15 +123,6 @@ allow init { dev_type -kmem_device }:chr_file { read open setattr };
 allow init unlabeled:dir { create_dir_perms relabelfrom };
 allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
 
-# Create /data/security from init.rc post-fs-data.
-allow init security_file:dir { create setattr };
-
-# Reload policy upon setprop selinux.reload_policy 1.
-# Note: this requires the following allow rule
-#   allow init kernel:security load_policy;
-# which can be configured on a device-by-device basis if needed.
-r_dir_file(init, security_file)
-
 # Any operation that can modify the kernel ring buffer, e.g. clear
 # or a read that consumes the messages that were read.
 allow init kernel:system syslog_mod;
diff --git a/installd.te b/installd.te
index 21cd4f0..1f83501 100644
--- a/installd.te
+++ b/installd.te
@@ -24,8 +24,6 @@ allow installd cgroup:dir create_dir_perms;
 allow installd mnt_expand_file:dir { search getattr };
 # Check validity of SELinux context before use.
 selinux_check_context(installd)
-# Read /seapp_contexts and /data/security/seapp_contexts
-security_access_policy(installd)
 
 # Search /data/app-asec and stat files in it.
 allow installd asec_image_file:dir search;
diff --git a/runas.te b/runas.te
index 4fa686a..58a1bdc 100644
--- a/runas.te
+++ b/runas.te
@@ -20,8 +20,6 @@ allow runas app_data_file:dir { getattr search };
 allow runas self:capability { setuid setgid };
 
 # run-as switches to the app security context.
-# read /seapp_contexts and /data/security/seapp_contexts
-security_access_policy(runas)
 selinux_check_context(runas) # validate context
 allow runas self:process setcurrent;
 allow runas non_system_app_set:process dyntransition; # setcon
diff --git a/system_server.te b/system_server.te
index 8f794e1..f03959e 100644
--- a/system_server.te
+++ b/system_server.te
@@ -266,9 +266,6 @@ allow system_server { system_app_data_file bluetooth_data_file nfc_data_file rad
 # Receive and use open /data/media files passed over binder IPC.
 allow system_server media_rw_data_file:file { getattr read write };
 
-# Read /file_contexts and /data/security/file_contexts
-security_access_policy(system_server)
-
 # Relabel apk files.
 allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto };
 allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto };
diff --git a/te_macros b/te_macros
index 4d18973..84af301 100644
--- a/te_macros
+++ b/te_macros
@@ -249,27 +249,6 @@ allow $1 kernel:security setbool;
 ')
 
 #####################################
-# security_access_policy(domain)
-# Read only access to all policy files and
-# selinuxfs
-define(`security_access_policy', `
-allow $1 security_file:dir r_dir_perms;
-allow $1 security_file:file r_file_perms;
-')
-
-#####################################
-# mmac_manage_policy(domain)
-# Ability to manage mmac policy files,
-# trigger runtime reload, change
-# mmac enforcing mode and access logcat.
-define(`mmac_manage_policy', `
-allow $1 security_file:dir create_dir_perms;
-allow $1 security_file:file create_file_perms;
-allow $1 security_file:lnk_file { create rename unlink };
-set_prop($1, security_prop)
-')
-
-#####################################
 # create_pty(domain)
 # Allow domain to create and use a pty, isolated from any other domain ptys.
 define(`create_pty', `
diff --git a/ueventd.te b/ueventd.te
index 9eb2b1a..003b0e6 100644
--- a/ueventd.te
+++ b/ueventd.te
@@ -8,7 +8,6 @@ tmpfs_domain(ueventd)
 type_transition ueventd device:chr_file klog_device "__kmsg__";
 allow ueventd klog_device:chr_file { create open write unlink };
 
-security_access_policy(ueventd)
 allow ueventd init:process sigchld;
 allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
 allow ueventd device:file create_file_perms;
diff --git a/vold.te b/vold.te
index 9a1ccfe..737037d 100644
--- a/vold.te
+++ b/vold.te
@@ -125,7 +125,6 @@ set_prop(vold, restorecon_prop)
 # ASEC
 allow vold asec_image_file:file create_file_perms;
 allow vold asec_image_file:dir rw_dir_perms;
-security_access_policy(vold)
 allow vold asec_apk_file:dir { create_dir_perms mounton relabelfrom relabelto };
 allow vold asec_public_file:dir { relabelto setattr };
 allow vold asec_apk_file:file { r_file_perms setattr relabelfrom relabelto };
diff --git a/zygote.te b/zygote.te
index 421a54b..e1be061 100644
--- a/zygote.te
+++ b/zygote.te
@@ -43,8 +43,6 @@ allow zygote self:capability sys_admin;
 selinux_check_context(zygote)
 # Check SELinux permissions.
 selinux_check_access(zygote)
-# Read /seapp_contexts and /data/security/seapp_contexts
-security_access_policy(zygote)
 
 # Native bridge functionality requires that zygote replaces
 # /proc/cpuinfo with /system/lib/<ISA>/cpuinfo using a bind mount