Remove unnecessary sepolicy attributes
Test: mmm system/sepolicy
Bug: 34980020
Change-Id: Ic51e55c0820de07d4acf21c0c63dd40ba841b285
diff --git a/sepolicy/camera.te b/sepolicy/camera.te
index f1b9f22..3e69ccd 100644
--- a/sepolicy/camera.te
+++ b/sepolicy/camera.te
@@ -32,9 +32,6 @@
allow camera hal_graphics_allocator:fd use;
allow camera cameraserver:fd use;
-# TODO(b/36663461): Remove once camera no longer accesses data outside
-# /data/vendor
-typeattribute camera coredata_in_vendor_violators;
allow camera camera_data_file:dir rw_dir_perms;
allow camera camera_data_file:sock_file { create unlink };
diff --git a/sepolicy/dumpstate.te b/sepolicy/dumpstate.te
index 22935a3..72935eb 100644
--- a/sepolicy/dumpstate.te
+++ b/sepolicy/dumpstate.te
@@ -1,8 +1,4 @@
userdebug_or_eng(`
-# TODO(b/36657258): Remove vendordata_in_core_violators once
-# dumpstate no longer directly accesses /data owned by a vendor
-# process.
-typeattribute dumpstate vendordata_in_core_violators;
allow dumpstate smlog_dump_file:dir create_dir_perms;
allow dumpstate smlog_dump_file:file create_file_perms;
')
diff --git a/sepolicy/hal_camera_default.te b/sepolicy/hal_camera_default.te
index e2ab1a3..0187c22 100644
--- a/sepolicy/hal_camera_default.te
+++ b/sepolicy/hal_camera_default.te
@@ -1,7 +1,3 @@
-# TODO(b/36651251, b/36730929): Remove once Camera Hal is no longer accessing
-# /data outside /data/vendor.
-typeattribute hal_camera_default coredata_in_vendor_violators;
-
vndbinder_use(hal_camera_default);
allow hal_camera_default qdisplay_service:vndservice_manager { find };
diff --git a/sepolicy/hal_drm_widevine.te b/sepolicy/hal_drm_widevine.te
index 512206d..34fb372 100644
--- a/sepolicy/hal_drm_widevine.te
+++ b/sepolicy/hal_drm_widevine.te
@@ -5,9 +5,5 @@
type hal_drm_widevine_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_drm_widevine)
-# TODO(b/36601695): Remove coredata_in_vendor_violators once hal_drm_widevine
-# no longer directly access /data outside /data/vendor.
-typeattribute hal_drm_widevine coredata_in_vendor_violators;
-
allow hal_drm mediacodec:fd use;
allow hal_drm { appdomain -isolated_app }:fd use;
diff --git a/sepolicy/hal_dumpstate_impl.te b/sepolicy/hal_dumpstate_impl.te
index 4d70606..fbea0d3 100644
--- a/sepolicy/hal_dumpstate_impl.te
+++ b/sepolicy/hal_dumpstate_impl.te
@@ -13,10 +13,6 @@
# smlog_dump
allow hal_dumpstate_impl smlog_dump_exec:file rx_file_perms;
userdebug_or_eng(`
-# TODO(b/36654253): Remove coredata_in_vendor_violators once
-# hal_dumpstate_impl no longer directly accesses /data outside
-# /data/vendor.
-typeattribute hal_dumpstate_impl coredata_in_vendor_violators;
allow hal_dumpstate_impl smlog_dump_file:dir create_dir_perms;
allow hal_dumpstate_impl smlog_dump_file:file create_file_perms;
allow hal_dumpstate_impl radio_data_file:dir r_dir_perms;
diff --git a/sepolicy/hal_gnss_default.te b/sepolicy/hal_gnss_default.te
index 6555600..0250873 100644
--- a/sepolicy/hal_gnss_default.te
+++ b/sepolicy/hal_gnss_default.te
@@ -1,5 +1,2 @@
# TODO(b/36576569): Remove this once hal_gnss_default stops accessing /dev/binder
typeattribute hal_gnss_default binder_in_vendor_violators;
-# TODO(b/36730929): Remove once hal_gnss_default is no longer accessing
-# /data outside /data/vendor.
-typeattribute hal_gnss_default coredata_in_vendor_violators;
diff --git a/sepolicy/init_radio.te b/sepolicy/init_radio.te
index 99786fc..956e80e 100644
--- a/sepolicy/init_radio.te
+++ b/sepolicy/init_radio.te
@@ -11,10 +11,6 @@
allow init_radio firmware_file:file r_file_perms;
allow init_radio self:capability chown;
-# TODO(b/36663092): Remove once init_radio no longer accesses data
-# outside /data/vendor. Also, the label cannot be radio_data_file since
-# that belongs to the radio app.
-typeattribute init_radio coredata_in_vendor_violators;
allow init_radio radio_data_file:dir create_dir_perms;
allow init_radio radio_data_file:file create_file_perms;
allow init_radio radio_data_file:file w_file_perms;
diff --git a/sepolicy/netmgrd.te b/sepolicy/netmgrd.te
index 92556b0..61fe3c5 100644
--- a/sepolicy/netmgrd.te
+++ b/sepolicy/netmgrd.te
@@ -21,10 +21,6 @@
allow netmgrd self:capability { net_admin net_raw setgid setpcap setuid };
-# TODO(b/36663482): Remove coredata_in_vendor_violators once
-# netmgrd no longer directly accesses /data outside
-# /data/vendor.
-typeattribute netmgrd coredata_in_vendor_violators;
# read /data/misc/net
allow netmgrd net_data_file:dir r_dir_perms;
allow netmgrd net_data_file:file r_file_perms;
diff --git a/sepolicy/platform_app.te b/sepolicy/platform_app.te
index 3a01e22..86fc0ea 100644
--- a/sepolicy/platform_app.te
+++ b/sepolicy/platform_app.te
@@ -1,8 +1,5 @@
userdebug_or_eng(`
- # TODO(b/36734870): Remove this once platform_app no longer directly
- # accesses data owned by vendor components
- typeattribute platform_app vendordata_in_core_violators;
# qxdmlogger rundiag perms
allow platform_app ramdump_data_file:dir { getattr open read remove_name rmdir search write };
allow platform_app ramdump_data_file:file { getattr open read unlink write };
diff --git a/sepolicy/surfaceflinger.te b/sepolicy/surfaceflinger.te
index 82ea66a..32fd159 100644
--- a/sepolicy/surfaceflinger.te
+++ b/sepolicy/surfaceflinger.te
@@ -12,8 +12,3 @@
# persist/display
allow surfaceflinger persist_display_file:dir r_dir_perms;
allow surfaceflinger persist_display_file:file create_file_perms;
-
-# TODO(b/36655945): Remove once surfaceflinger is no longer sharing data
-# in /data/misc/display with hal_graphics_composer.
-typeattribute surfaceflinger vendordata_in_core_violators;
-
diff --git a/sepolicy/tee.te b/sepolicy/tee.te
index 07ffdc6..5787bda 100644
--- a/sepolicy/tee.te
+++ b/sepolicy/tee.te
@@ -11,8 +11,6 @@
# Set the sys.listeners.registered property
set_prop(tee, system_prop)
-# TODO(b/36720355): Remove this once tee no longer access non-vendor files
-typeattribute tee coredata_in_vendor_violators;
allow tee system_data_file:dir r_dir_perms;
allow tee fingerprintd_data_file:dir rw_dir_perms;
allow tee fingerprintd_data_file:file create_file_perms;
diff --git a/sepolicy/thermal-engine.te b/sepolicy/thermal-engine.te
index 763eaf1..cb25e34 100644
--- a/sepolicy/thermal-engine.te
+++ b/sepolicy/thermal-engine.te
@@ -30,10 +30,6 @@
# reboot warnings and errors to kernel via klog
allow thermal-engine kmsg_device:chr_file w_file_perms;
-# TODO(b/36664251): Remove once thermal-engine no longer accesses data
-# outside /data/vendor. Also, the label cannot be radio_data_file since
-# that belongs to the radio app.
-typeattribute thermal-engine coredata_in_vendor_violators;
# write file last_reboot_reason to inform of previous thermal shutdown
allow thermal-engine reboot_data_file:dir ra_dir_perms;
allow thermal-engine reboot_data_file:file create_file_perms;
