Revert "Revert "common: Drop custom filesystem rules""
This reverts commit 490115c0d06eae20c4bdacf4305420fe7d6a1c2a.
Violates certain SELinuxneverallow rules.
Test: run cts -m CtsSecurityHostTestCases -t android.security.cts.SELinuxNeverallowRulesTest
Change-Id: I9fee0f5bed6d1cbf4f5c679ae2b76124660b4be7
diff --git a/common/private/file.te b/common/private/file.te
index 6fb480b..f06388b 100644
--- a/common/private/file.te
+++ b/common/private/file.te
@@ -1,3 +1,2 @@
-type sdcard_posix, sdcard_type, sdcard_posix_contextmount_type, fs_type, mlstrustedobject;
type adbroot_data_file, file_type, data_file_type, core_data_file_type;
type sysfs_perdev_minors, fs_type, sysfs_type;
diff --git a/common/private/file_contexts b/common/private/file_contexts
index a441605..cc2800f 100644
--- a/common/private/file_contexts
+++ b/common/private/file_contexts
@@ -1,9 +1,3 @@
-# Filesystem tools
-/system/bin/fsck\.ntfs u:object_r:fsck_exec:s0
-/system/bin/mkfs\.exfat u:object_r:mkfs_exec:s0
-/system/bin/mkfs\.f2fs u:object_r:mkfs_exec:s0
-/system/bin/mkfs\.ntfs u:object_r:mkfs_exec:s0
-
# OTA packages
/data/lineageos_updates(/.*)? u:object_r:ota_package_file:s0
diff --git a/common/private/fsck_untrusted.te b/common/private/fsck_untrusted.te
deleted file mode 100644
index 5d12f76..0000000
--- a/common/private/fsck_untrusted.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# External storage
-allow fsck_untrusted self:capability sys_admin;
diff --git a/common/private/genfs_contexts b/common/private/genfs_contexts
index 79a7736..d096874 100644
--- a/common/private/genfs_contexts
+++ b/common/private/genfs_contexts
@@ -1,6 +1,2 @@
-ifelse(board_excludes_fuseblk_sepolicy, `true', ,
-genfscon fuseblk / u:object_r:vfat:s0
-)
-
genfscon sysfs /devices/virtual/timed_output/vibrator u:object_r:sysfs_vibrator:s0
genfscon sysfs /module/mmcblk/parameters/perdev_minors u:object_r:sysfs_perdev_minors:s0
diff --git a/common/private/mkfs.te b/common/private/mkfs.te
deleted file mode 100644
index 2c16520..0000000
--- a/common/private/mkfs.te
+++ /dev/null
@@ -1,9 +0,0 @@
-type mkfs, coredomain, domain;
-type mkfs_exec, system_file_type, exec_type, file_type;
-
-init_daemon_domain(mkfs)
-
-# Allow formatting userdata or cache partitions
-allow mkfs block_device:dir search;
-allow mkfs userdata_block_device:blk_file rw_file_perms;
-allow mkfs cache_block_device:blk_file rw_file_perms;
diff --git a/common/private/system_server.te b/common/private/system_server.te
index e396fa5..18c5faa 100644
--- a/common/private/system_server.te
+++ b/common/private/system_server.te
@@ -1,5 +1,3 @@
-allow system_server storage_stub_file:dir getattr;
-
allow system_server adbroot_service:service_manager find;
# Use HALs
diff --git a/common/private/vold.te b/common/private/vold.te
deleted file mode 100644
index 915190b..0000000
--- a/common/private/vold.te
+++ /dev/null
@@ -1,11 +0,0 @@
-# NTFS-3g wants to drop permission
-allow vold self:capability { setgid setuid };
-
-# External storage
-allow vold mkfs_exec:file rx_file_perms;
-allow vold mnt_media_rw_stub_file:dir r_dir_perms;
-allow vold storage_stub_file:dir rw_dir_perms;
-
-# External EXT4/F2FS storage
-allow vold sdcard_posix:filesystem { relabelto relabelfrom };
-allow vold labeledfs:filesystem relabelfrom;
diff --git a/common/sepolicy.mk b/common/sepolicy.mk
index 561d341..1a55071 100644
--- a/common/sepolicy.mk
+++ b/common/sepolicy.mk
@@ -9,12 +9,6 @@
endif
endif
-ifeq ($(TARGET_USES_PREBUILT_VENDOR_SEPOLICY), true)
-ifeq ($(TARGET_HAS_FUSEBLK_SEPOLICY_ON_VENDOR),true)
-BOARD_SEPOLICY_M4DEFS += board_excludes_fuseblk_sepolicy=true
-endif
-endif
-
SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += \
device/lineage/sepolicy/common/public