Move sensord sepolicy
Sensord move in ag/2106763 should be accompanied by corresponding
sepolicy move of sensord-related files/declarations.
Bug: 36996994
Test: Sailfish build shows no related permission errors
Change-Id: Ibe41b363f7ca2752b5d3e0961298985cf784663d
diff --git a/private/app.te b/private/app.te
index fbf89e8..309d27c 100644
--- a/private/app.te
+++ b/private/app.te
@@ -300,8 +300,6 @@
pdx_client({ appdomain -isolated_app -ephemeral_app }, display_client)
pdx_client({ appdomain -isolated_app -ephemeral_app }, display_manager)
pdx_client({ appdomain -isolated_app -ephemeral_app }, display_vsync)
-pdx_client({ appdomain -isolated_app -ephemeral_app }, sensors_client)
-pdx_client({ appdomain -isolated_app -ephemeral_app }, pose_client)
pdx_client({ appdomain -isolated_app -ephemeral_app }, performance_client)
# Apps do not directly open the IPC socket for bufferhubd.
pdx_use({ appdomain -isolated_app -ephemeral_app }, bufferhub_client)
diff --git a/private/file_contexts b/private/file_contexts
index 4d64c61..b13807f 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -134,10 +134,6 @@
/dev/socket/pdx/system/buffer_hub/client u:object_r:pdx_bufferhub_client_endpoint_socket:s0
/dev/socket/pdx/system/performance u:object_r:pdx_performance_dir:s0
/dev/socket/pdx/system/performance/client u:object_r:pdx_performance_client_endpoint_socket:s0
-/dev/socket/pdx/system/vr/sensors u:object_r:pdx_sensors_dir:s0
-/dev/socket/pdx/system/vr/sensors/client u:object_r:pdx_sensors_client_endpoint_socket:s0
-/dev/socket/pdx/system/vr/pose u:object_r:pdx_pose_dir:s0
-/dev/socket/pdx/system/vr/pose/client u:object_r:pdx_pose_client_endpoint_socket:s0
/dev/socket/pdx/system/vr/display u:object_r:pdx_display_dir:s0
/dev/socket/pdx/system/vr/display/client u:object_r:pdx_display_client_endpoint_socket:s0
/dev/socket/pdx/system/vr/display/manager u:object_r:pdx_display_manager_endpoint_socket:s0
@@ -198,7 +194,6 @@
/system/bin/surfaceflinger u:object_r:surfaceflinger_exec:s0
/system/bin/bufferhubd u:object_r:bufferhubd_exec:s0
/system/bin/performanced u:object_r:performanced_exec:s0
-/system/bin/sensord u:object_r:sensord_exec:s0
/system/bin/drmserver u:object_r:drmserver_exec:s0
/system/bin/dumpstate u:object_r:dumpstate_exec:s0
/system/bin/incident u:object_r:incident_exec:s0
diff --git a/private/sensord.te b/private/sensord.te
deleted file mode 100644
index bdeded6..0000000
--- a/private/sensord.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute sensord coredomain;
-
-init_daemon_domain(sensord)
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 1e425ba..f04a984 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -98,8 +98,6 @@
pdx_client(surfaceflinger, bufferhub_client)
pdx_client(surfaceflinger, performance_client)
-pdx_client(surfaceflinger, sensors_client)
-pdx_client(surfaceflinger, pose_client)
###
### Neverallow rules
diff --git a/public/attributes b/public/attributes
index f8650b7..c449a08 100644
--- a/public/attributes
+++ b/public/attributes
@@ -164,8 +164,6 @@
pdx_service_attributes(display_screenshot)
pdx_service_attributes(display_vsync)
pdx_service_attributes(performance_client)
-pdx_service_attributes(sensors_client)
-pdx_service_attributes(pose_client);
pdx_service_attributes(bufferhub_client)
# All HAL servers
diff --git a/public/file.te b/public/file.te
index b5b6f86..057af41 100644
--- a/public/file.te
+++ b/public/file.te
@@ -283,8 +283,6 @@
# PDX endpoint types
type pdx_display_dir, pdx_endpoint_dir_type, file_type;
type pdx_performance_dir, pdx_endpoint_dir_type, file_type;
-type pdx_sensors_dir, pdx_endpoint_dir_type, file_type;
-type pdx_pose_dir, pdx_endpoint_dir_type, file_type;
type pdx_bufferhub_dir, pdx_endpoint_dir_type, file_type;
pdx_service_socket_types(display_client, pdx_display_dir)
@@ -292,8 +290,6 @@
pdx_service_socket_types(display_screenshot, pdx_display_dir)
pdx_service_socket_types(display_vsync, pdx_display_dir)
pdx_service_socket_types(performance_client, pdx_performance_dir)
-pdx_service_socket_types(sensors_client, pdx_sensors_dir)
-pdx_service_socket_types(pose_client, pdx_pose_dir)
pdx_service_socket_types(bufferhub_client, pdx_bufferhub_dir)
# file_contexts files
diff --git a/public/performanced.te b/public/performanced.te
index 7f2e13f..3d3fadb 100644
--- a/public/performanced.te
+++ b/public/performanced.te
@@ -10,9 +10,9 @@
# Access /proc to validate we're only affecting threads in the same thread group.
# Performanced also shields unbound kernel threads. It scans every task in the
# root cpu set, but only affects the kernel threads.
-r_dir_file(performanced, { appdomain bufferhubd kernel sensord surfaceflinger })
+r_dir_file(performanced, { appdomain bufferhubd kernel surfaceflinger })
dontaudit performanced domain:dir read;
-allow performanced { appdomain bufferhubd kernel sensord surfaceflinger }:process setsched;
+allow performanced { appdomain bufferhubd kernel surfaceflinger }:process setsched;
# Access /dev/cpuset/cpuset.cpus
r_dir_file(performanced, cgroup)
diff --git a/public/sensord.te b/public/sensord.te
deleted file mode 100644
index c9749cb..0000000
--- a/public/sensord.te
+++ /dev/null
@@ -1,24 +0,0 @@
-# sensord
-type sensord, domain, mlstrustedsubject;
-type sensord_exec, exec_type, file_type;
-
-hal_client_domain(sensord, hal_graphics_allocator)
-allow sensord hal_graphics_allocator:fd use;
-
-pdx_server(sensord, sensors_client)
-pdx_server(sensord, pose_client)
-pdx_client(sensord, bufferhub_client)
-pdx_client(sensord, performance_client)
-
-# Access /dev/ion
-allow sensord ion_device:chr_file r_file_perms;
-
-allow sensord sensors_device:chr_file rw_file_perms;
-
-binder_use(sensord)
-binder_call(sensord, system_server)
-allow sensord system_server:unix_stream_socket { read write };
-
-allow sensord sensorservice_service:service_manager find;
-# permission_service is used by the NDK sensor APIs.
-allow sensord permission_service:service_manager find;