sepolicy: Clean up policy for N
Change-Id: I39ddec0f60a9995de13b82f09705d246d7e0f454
diff --git a/sepolicy/app.te b/sepolicy/app.te
index 6405e20..b2ad553 100644
--- a/sepolicy/app.te
+++ b/sepolicy/app.te
@@ -1,8 +1,3 @@
-# Access OBBs (sdcard_posix) mounted by vold
-# File write access allowed for FDs returned through Storage Access Framework
-allow appdomain sdcard_posix:dir r_dir_perms;
-allow appdomain sdcard_posix:file rw_file_perms;
-
# Themed resources (i.e. composed icons)
allow appdomain themeservice_app_data_file:dir r_dir_perms;
allow appdomain themeservice_app_data_file:file r_file_perms;
diff --git a/sepolicy/domain.te b/sepolicy/domain.te
index b1fc15e..e05768e 100644
--- a/sepolicy/domain.te
+++ b/sepolicy/domain.te
@@ -2,4 +2,3 @@
allow domain block_device:blk_file getattr;
allow domain cache_block_device:blk_file getattr;
allow domain userdata_block_device:blk_file getattr;
-allow domain fuse_device:chr_file getattr;
diff --git a/sepolicy/file.te b/sepolicy/file.te
index 05e3c5d..b115eba 100644
--- a/sepolicy/file.te
+++ b/sepolicy/file.te
@@ -17,3 +17,8 @@
# Knobs for LiveDisplay
type livedisplay_sysfs, sysfs_type, file_type;
+
+# Filesystems
+type exfat, sdcard_type, fs_type, mlstrustedobject;
+type fuseblk, sdcard_type, fs_type, mlstrustedobject;
+type ntfs, sdcard_type, fs_type, mlstrustedobject;
diff --git a/sepolicy/genfs_contexts b/sepolicy/genfs_contexts
index b39d3dd..b5652a2 100644
--- a/sepolicy/genfs_contexts
+++ b/sepolicy/genfs_contexts
@@ -1,3 +1,3 @@
-genfscon fuseblk / u:object_r:sdcard_external:s0
-genfscon exfat / u:object_r:sdcard_external:s0
-genfscon ntfs / u:object_r:sdcard_external:s0
+genfscon fuseblk / u:object_r:fuseblk:s0
+genfscon exfat / u:object_r:exfat:s0
+genfscon ntfs / u:object_r:ntfs:s0
diff --git a/sepolicy/installd.te b/sepolicy/installd.te
index c240599..fc38117 100644
--- a/sepolicy/installd.te
+++ b/sepolicy/installd.te
@@ -1,6 +1,6 @@
# Allow querying of asec size on SD card
-allow installd sdcard_external:dir { search };
-allow installd sdcard_external:file { getattr };
+allow installd sdcard_type:dir { search };
+allow installd sdcard_type:file { getattr };
# Required for installd to create theme service's /data/data directory
allow installd themeservice_app_data_file:dir { create_dir_perms relabelfrom relabelto };
diff --git a/sepolicy/kernel.te b/sepolicy/kernel.te
index 2984b77..b944a75 100644
--- a/sepolicy/kernel.te
+++ b/sepolicy/kernel.te
@@ -1,3 +1,2 @@
# used by sdcardfs to read package list
allow kernel system_data_file:file open;
-allow kernel media_rw_data_file:file rw_file_perms;
diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te
index c380ce9..62ed0b7 100644
--- a/sepolicy/mediaserver.te
+++ b/sepolicy/mediaserver.te
@@ -1,6 +1,3 @@
# Themed resources (i.e. composed icons)
allow mediaserver themeservice_app_data_file:dir r_dir_perms;
allow mediaserver themeservice_app_data_file:file r_file_perms;
-
-# For camera
-allow mediaserver media_rw_data_file:file write;
diff --git a/sepolicy/platform_app.te b/sepolicy/platform_app.te
deleted file mode 100644
index 3e0eb57..0000000
--- a/sepolicy/platform_app.te
+++ /dev/null
@@ -1,14 +0,0 @@
-# Direct access to vold-mounted storage under /mnt/media_rw
-# This is a performance optimization that allows platform apps to bypass the FUSE layer
-allow platform_app sdcard_posix:dir create_dir_perms;
-allow platform_app sdcard_posix:file create_file_perms;
-
-# Allow Gallery3D to crop user images
-allow platform_app system_app_data_file:file rw_file_perms;
-
-# Allow Gallery3D to execute render scripts
-allow platform_app app_data_file:file execute;
-
-# Allow batterymanager and batteryproperties services to be found
-allow platform_app battery_service:service_manager find;
-allow platform_app healthd_service:service_manager find;
diff --git a/sepolicy/qcom/dumpstate.te b/sepolicy/qcom/dumpstate.te
index d2844a6..4ba25cc 100644
--- a/sepolicy/qcom/dumpstate.te
+++ b/sepolicy/qcom/dumpstate.te
@@ -8,6 +8,3 @@
allow dumpstate themeservice_app_data_file:dir r_dir_perms;
allow dumpstate themeservice_app_data_file:file r_file_perms;
allow dumpstate media_rw_data_file:dir search;
-allow dumpstate sdcardfs:file getattr;
-allow dumpstate sdcardfs:dir search;
-
diff --git a/sepolicy/recovery.te b/sepolicy/recovery.te
index c5f58c6..1a1460b 100644
--- a/sepolicy/recovery.te
+++ b/sepolicy/recovery.te
@@ -24,8 +24,8 @@
allow recovery media_rw_data_file:file r_file_perms;
allow recovery vfat:dir r_dir_perms;
allow recovery vfat:file r_file_perms;
-allow recovery sdcard_posix:dir r_dir_perms;
-allow recovery sdcard_posix:file r_file_perms;
+allow recovery sdcard_type:dir r_dir_perms;
+allow recovery sdcard_type:file r_file_perms;
# Control properties
allow recovery recovery_prop:property_service set;
diff --git a/sepolicy/su.te b/sepolicy/su.te
index 473386b..1a2a2b3 100644
--- a/sepolicy/su.te
+++ b/sepolicy/su.te
@@ -66,4 +66,7 @@
allow system_app superuser_device:dir { create rw_dir_perms setattr unlink };
allow kernel sudaemon:fd { use };
+
')
+
+neverallow { domain userdebug_or_eng(`-dumpstate -shell -su -untrusted_app -init -sudaemon') } su_exec:file no_x_file_perms;
diff --git a/sepolicy/vold.te b/sepolicy/vold.te
index d00fcec..14b9063 100644
--- a/sepolicy/vold.te
+++ b/sepolicy/vold.te
@@ -1,11 +1,11 @@
domain_trans(init, rootfs, vold)
# Allow vold to manage ASEC
-allow vold sdcard_external:file create_file_perms;
+allow vold sdcard_type:file create_file_perms;
allow vold vold_tmpfs:file create_file_perms;
# Allow vold to access fuse for fuse-based fs
-allow vold fuse_device:chr_file rw_file_perms;
+allow vold fuseblk:chr_file rw_file_perms;
# NTFS-3g wants to drop permission
allow vold self:capability { setgid setuid };