Remove neverallows for device domain am: 65a66499cc
Original change: https://android-review.googlesource.com/c/device/mediatek/wembley-sepolicy/+/2414378
Change-Id: I01011a9ccf06062091a54d5fd898ea8e4d156ec6
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
diff --git a/neverallows/non_plat/neverallows.te b/neverallows/non_plat/neverallows.te
index 64524ac..4c71456 100644
--- a/neverallows/non_plat/neverallows.te
+++ b/neverallows/non_plat/neverallows.te
@@ -218,38 +218,6 @@
# hal_client_domain(cameraserver, hal_camera)
#
full_treble_only(`
- neverallow ~{
- apexd
- cameraserver
- fastbootd
- hal_camera
- hal_camera_default
- hal_evs_default
- init
- mtk_hal_camera
- otapreopt_chroot
- recovery
- shell
- slideshow
- system_server
- vendor_init
- vold
- ueventd
- } device:dir ~{ search getattr };
-
- neverallow {
- cameraserver
- fastbootd
- hal_camera
- hal_camera_default
- hal_evs_default
- mtk_hal_camera
- system_server
- shell
- slideshow
- recovery
- } device:dir ~r_dir_perms;
-
neverallow init device:dir ~{ create_dir_perms mounton relabelto };
neverallow vendor_init device:dir ~{ create_dir_perms mounton };
diff --git a/neverallows/plat_private/neverallows.te b/neverallows/plat_private/neverallows.te
index 695a6c7..1281248 100644
--- a/neverallows/plat_private/neverallows.te
+++ b/neverallows/plat_private/neverallows.te
@@ -116,44 +116,7 @@
neverallow system_server system_data_file:lnk_file ~create_file_perms;
')
-# Do not allow access to the generic device label. This is too broad.
-# Instead, if access to part of device is desired, it should have a
-# more specific label.
-# TODO: Remove hal_camera and so on once there are no violations.
-#
-# allow hal_camera device:dir r_dir_perms;
-# hal_client_domain(cameraserver, hal_camera)
-#
full_treble_only(`
- neverallow {
- coredomain
- -apexd
- -cameraserver
- -fastbootd
- -hal_camera
- -init
- -otapreopt_chroot
- -recovery
- -shell
- -slideshow
- -system_server
- -vendor_init
- -vold
- -ueventd
- } device:dir ~{ search getattr };
-
- neverallow init device:dir ~{ create_dir_perms mounton relabelto };
-
- neverallow {
- cameraserver
- fastbootd
- hal_camera
- system_server
- shell
- slideshow
- recovery
- } device:dir ~r_dir_perms;
-
neverallow vendor_init device:dir ~{ create_dir_perms mounton };
neverallow vold device:dir ~{ search getattr write };
diff --git a/neverallows/plat_public/neverallows.te b/neverallows/plat_public/neverallows.te
index 1e1bce7..f130f1e 100644
--- a/neverallows/plat_public/neverallows.te
+++ b/neverallows/plat_public/neverallows.te
@@ -448,33 +448,6 @@
neverallow ueventd device:lnk_file ~{ r_file_perms create unlink };
- neverallow {
- coredomain
- -apexd
- -cameraserver
- -fastbootd
- -hal_camera
- -init
- -otapreopt_chroot
- -recovery
- -shell
- -slideshow
- -system_server
- -vendor_init
- -vold
- -ueventd
- } device:dir ~{ search getattr };
-
- neverallow {
- cameraserver
- fastbootd
- hal_camera
- system_server
- shell
- slideshow
- recovery
- } device:dir ~r_dir_perms;
-
neverallow init device:dir ~{ create_dir_perms mounton relabelto };
neverallow vendor_init device:dir ~{ create_dir_perms mounton };
