emulator: move sepolicy to goldfish project
The sepolicies are emulator specific and are installed
under vendor partition, move them to the right location.
this cl does not impact real devices, as the selinux
rules are for emulator only
BUG: 110030159
Change-Id: I6acc27a3b787a3fafd9373c84492537185b184c5
Merged-In: I6acc27a3b787a3fafd9373c84492537185b184c5
diff --git a/target/board/generic/BoardConfig.mk b/target/board/generic/BoardConfig.mk
index 009fb32..6c82846 100644
--- a/target/board/generic/BoardConfig.mk
+++ b/target/board/generic/BoardConfig.mk
@@ -77,7 +77,7 @@
BOARD_CACHEIMAGE_FILE_SYSTEM_TYPE := ext4
BOARD_CACHEIMAGE_PARTITION_SIZE := 16777216
-BOARD_SEPOLICY_DIRS += build/target/board/generic/sepolicy
+BOARD_SEPOLICY_DIRS += device/generic/goldfish/sepolicy/common
BOARD_PROPERTY_OVERRIDES_SPLIT_ENABLED := true
# Android Verified Boot (AVB):
diff --git a/target/board/generic/sepolicy/OWNERS b/target/board/generic/sepolicy/OWNERS
deleted file mode 100644
index 3828988..0000000
--- a/target/board/generic/sepolicy/OWNERS
+++ /dev/null
@@ -1,4 +0,0 @@
-jeffv@google.com
-dcashman@google.com
-jbires@google.com
-sspatil@google.com
diff --git a/target/board/generic/sepolicy/adbd.te b/target/board/generic/sepolicy/adbd.te
deleted file mode 100644
index 9546c1a..0000000
--- a/target/board/generic/sepolicy/adbd.te
+++ /dev/null
@@ -1 +0,0 @@
-set_prop(adbd, ctl_mdnsd_prop);
diff --git a/target/board/generic/sepolicy/audioserver.te b/target/board/generic/sepolicy/audioserver.te
deleted file mode 100644
index c3c4a3a..0000000
--- a/target/board/generic/sepolicy/audioserver.te
+++ /dev/null
@@ -1 +0,0 @@
-allow audioserver bootanim:binder call;
diff --git a/target/board/generic/sepolicy/bootanim.te b/target/board/generic/sepolicy/bootanim.te
deleted file mode 100644
index bc84ee7..0000000
--- a/target/board/generic/sepolicy/bootanim.te
+++ /dev/null
@@ -1,9 +0,0 @@
-allow bootanim self:process execmem;
-allow bootanim ashmem_device:chr_file execute;
-#TODO: This can safely be ignored until b/62954877 is fixed
-dontaudit bootanim system_data_file:dir read;
-
-allow bootanim graphics_device:chr_file { read ioctl open };
-
-typeattribute bootanim system_writes_vendor_properties_violators;
-set_prop(bootanim, qemu_prop)
diff --git a/target/board/generic/sepolicy/cameraserver.te b/target/board/generic/sepolicy/cameraserver.te
deleted file mode 100644
index 6cf5d6a..0000000
--- a/target/board/generic/sepolicy/cameraserver.te
+++ /dev/null
@@ -1,2 +0,0 @@
-allow cameraserver system_file:dir { open read };
-allow cameraserver hal_allocator:fd use;
diff --git a/target/board/generic/sepolicy/createns.te b/target/board/generic/sepolicy/createns.te
deleted file mode 100644
index 1eaf9ef..0000000
--- a/target/board/generic/sepolicy/createns.te
+++ /dev/null
@@ -1,14 +0,0 @@
-# Network namespace creation
-type createns, domain;
-type createns_exec, exec_type, vendor_file_type, file_type;
-
-init_daemon_domain(createns)
-
-allow createns self:capability { sys_admin net_raw setuid setgid };
-allow createns varrun_file:dir { add_name search write };
-allow createns varrun_file:file { create mounton open read write };
-
-#Allow createns itself to be run by init in its own domain
-domain_auto_trans(goldfish_setup, createns_exec, createns);
-allow createns goldfish_setup:fd use;
-
diff --git a/target/board/generic/sepolicy/device.te b/target/board/generic/sepolicy/device.te
deleted file mode 100644
index d129441..0000000
--- a/target/board/generic/sepolicy/device.te
+++ /dev/null
@@ -1 +0,0 @@
-type qemu_device, dev_type, mlstrustedobject;
diff --git a/target/board/generic/sepolicy/dhcpclient.te b/target/board/generic/sepolicy/dhcpclient.te
deleted file mode 100644
index df71fca..0000000
--- a/target/board/generic/sepolicy/dhcpclient.te
+++ /dev/null
@@ -1,20 +0,0 @@
-# DHCP client
-type dhcpclient, domain;
-type dhcpclient_exec, exec_type, vendor_file_type, file_type;
-
-init_daemon_domain(dhcpclient)
-net_domain(dhcpclient)
-
-allow dhcpclient execns:fd use;
-
-set_prop(dhcpclient, net_eth0_prop);
-allow dhcpclient self:capability { net_admin net_raw };
-allow dhcpclient self:udp_socket create;
-allow dhcpclient self:netlink_route_socket { write nlmsg_write };
-allow dhcpclient varrun_file:dir search;
-allow dhcpclient self:packet_socket { create bind write read };
-allowxperm dhcpclient self:udp_socket ioctl { SIOCSIFFLAGS
- SIOCSIFADDR
- SIOCSIFNETMASK
- SIOCSIFMTU
- SIOCGIFHWADDR };
diff --git a/target/board/generic/sepolicy/dhcpserver.te b/target/board/generic/sepolicy/dhcpserver.te
deleted file mode 100644
index 7e8ba26..0000000
--- a/target/board/generic/sepolicy/dhcpserver.te
+++ /dev/null
@@ -1,12 +0,0 @@
-# DHCP server
-type dhcpserver, domain;
-type dhcpserver_exec, exec_type, vendor_file_type, file_type;
-
-init_daemon_domain(dhcpserver)
-net_domain(dhcpserver)
-
-allow dhcpserver execns:fd use;
-
-get_prop(dhcpserver, net_eth0_prop);
-allow dhcpserver self:udp_socket { ioctl create setopt bind };
-allow dhcpserver self:capability { net_raw net_bind_service };
diff --git a/target/board/generic/sepolicy/domain.te b/target/board/generic/sepolicy/domain.te
deleted file mode 100644
index 3706dba..0000000
--- a/target/board/generic/sepolicy/domain.te
+++ /dev/null
@@ -1,3 +0,0 @@
-allow domain qemu_device:chr_file rw_file_perms;
-
-get_prop(domain, qemu_prop)
diff --git a/target/board/generic/sepolicy/execns.te b/target/board/generic/sepolicy/execns.te
deleted file mode 100644
index dc6c424..0000000
--- a/target/board/generic/sepolicy/execns.te
+++ /dev/null
@@ -1,27 +0,0 @@
-# Network namespace transitions
-type execns, domain;
-type execns_exec, exec_type, vendor_file_type, file_type;
-
-init_daemon_domain(execns)
-
-allow execns varrun_file:dir search;
-allow execns varrun_file:file r_file_perms;
-allow execns self:capability { sys_admin setuid setgid };
-allow execns nsfs:file { open read };
-
-#Allow execns itself to be run by init in its own domain
-domain_auto_trans(init, execns_exec, execns);
-
-# Allow dhcpclient to be run by execns in its own domain
-domain_auto_trans(execns, dhcpclient_exec, dhcpclient);
-
-# Allow dhcpserver to be run by execns in its own domain
-domain_auto_trans(execns, dhcpserver_exec, dhcpserver);
-
-# Allow hostapd_nohidl to be run by execns in its own domain
-domain_auto_trans(execns, hostapd_nohidl_exec, hostapd_nohidl);
-
-# Allow execns to read createns proc file to get the namespace file
-allow execns createns:file read;
-allow execns createns:dir search;
-allow execns createns:lnk_file read;
diff --git a/target/board/generic/sepolicy/file.te b/target/board/generic/sepolicy/file.te
deleted file mode 100644
index b0aa217..0000000
--- a/target/board/generic/sepolicy/file.te
+++ /dev/null
@@ -1,4 +0,0 @@
-type sysfs_writable, fs_type, sysfs_type, mlstrustedobject;
-type varrun_file, file_type, data_file_type, mlstrustedobject;
-type mediadrm_vendor_data_file, file_type, data_file_type;
-type nsfs, fs_type;
diff --git a/target/board/generic/sepolicy/file_contexts b/target/board/generic/sepolicy/file_contexts
deleted file mode 100644
index 7cd79fe..0000000
--- a/target/board/generic/sepolicy/file_contexts
+++ /dev/null
@@ -1,47 +0,0 @@
-# goldfish
-/dev/block/mtdblock0 u:object_r:system_block_device:s0
-/dev/block/mtdblock1 u:object_r:userdata_block_device:s0
-/dev/block/mtdblock2 u:object_r:cache_block_device:s0
-
-# ranchu
-/dev/block/vda u:object_r:system_block_device:s0
-/dev/block/vdb u:object_r:cache_block_device:s0
-/dev/block/vdc u:object_r:userdata_block_device:s0
-/dev/block/vdd u:object_r:metadata_block_device:s0
-/dev/block/vde u:object_r:system_block_device:s0
-
-/dev/goldfish_pipe u:object_r:qemu_device:s0
-/dev/goldfish_sync u:object_r:qemu_device:s0
-/dev/qemu_.* u:object_r:qemu_device:s0
-/dev/ttyGF[0-9]* u:object_r:serial_device:s0
-/dev/ttyS2 u:object_r:console_device:s0
-/vendor/bin/init\.ranchu-core\.sh u:object_r:goldfish_setup_exec:s0
-/vendor/bin/init\.ranchu-net\.sh u:object_r:goldfish_setup_exec:s0
-/vendor/bin/init\.wifi\.sh u:object_r:goldfish_setup_exec:s0
-/vendor/bin/qemu-props u:object_r:qemu_props_exec:s0
-/vendor/bin/createns u:object_r:createns_exec:s0
-/vendor/bin/execns u:object_r:execns_exec:s0
-/vendor/bin/ipv6proxy u:object_r:ipv6proxy_exec:s0
-/vendor/bin/dhcpclient u:object_r:dhcpclient_exec:s0
-/vendor/bin/dhcpserver u:object_r:dhcpserver_exec:s0
-/vendor/bin/hostapd_nohidl u:object_r:hostapd_nohidl_exec:s0
-
-/vendor/bin/hw/android\.hardware\.drm@1\.0-service\.widevine u:object_r:hal_drm_widevine_exec:s0
-
-/vendor/lib(64)?/hw/gralloc\.ranchu\.so u:object_r:same_process_hal_file:s0
-/vendor/lib(64)?/hw/gralloc\.goldfish\.default\.so u:object_r:same_process_hal_file:s0
-/vendor/lib(64)?/libEGL_emulation\.so u:object_r:same_process_hal_file:s0
-/vendor/lib(64)?/libGLESv1_CM_emulation\.so u:object_r:same_process_hal_file:s0
-/vendor/lib(64)?/libGLESv2_emulation\.so u:object_r:same_process_hal_file:s0
-/vendor/lib(64)?/libEGL_swiftshader\.so u:object_r:same_process_hal_file:s0
-/vendor/lib(64)?/libGLESv1_CM_swiftshader\.so u:object_r:same_process_hal_file:s0
-/vendor/lib(64)?/libGLESv2_swiftshader\.so u:object_r:same_process_hal_file:s0
-/vendor/lib(64)?/libOpenglSystemCommon\.so u:object_r:same_process_hal_file:s0
-/vendor/lib(64)?/lib_renderControl_enc\.so u:object_r:same_process_hal_file:s0
-/vendor/lib(64)?/libGLESv1_enc\.so u:object_r:same_process_hal_file:s0
-/vendor/lib(64)?/libGLESv2_enc\.so u:object_r:same_process_hal_file:s0
-
-# data
-/data/vendor/mediadrm(/.*)? u:object_r:mediadrm_vendor_data_file:s0
-/data/vendor/var/run(/.*)? u:object_r:varrun_file:s0
-
diff --git a/target/board/generic/sepolicy/genfs_contexts b/target/board/generic/sepolicy/genfs_contexts
deleted file mode 100644
index 1b81626..0000000
--- a/target/board/generic/sepolicy/genfs_contexts
+++ /dev/null
@@ -1,20 +0,0 @@
-# On the emulator, device tree dir is configured to be
-# /sys/bus/platform/devices/ANDR0001:00/properties/android/ which is a symlink to
-# /sys/devices/platform/ANDR0001:00/properties/android/
-genfscon sysfs /devices/platform/ANDR0001:00/properties/android u:object_r:sysfs_dt_firmware_android:s0
-
-# We expect /sys/class/power_supply/* and everything it links to to be labeled
-# as sysfs_batteryinfo.
-genfscon sysfs /devices/platform/GFSH0001:00/power_supply u:object_r:sysfs_batteryinfo:s0
-
-# /sys/class/rtc
-genfscon sysfs /devices/pnp0/00:00/rtc u:object_r:sysfs_rtc:s0
-genfscon sysfs /devices/platform/GFSH0007:00/rtc u:object_r:sysfs_rtc:s0
-
-# /sys/class/net
-genfscon sysfs /devices/pci0000:00/0000:00:08.0/virtio5/net u:object_r:sysfs_net:s0
-genfscon sysfs /devices/virtual/mac80211_hwsim/hwsim0/net u:object_r:sysfs_net:s0
-genfscon sysfs /devices/virtual/mac80211_hwsim/hwsim1/net u:object_r:sysfs_net:s0
-
-# /proc/<pid>/ns
-genfscon nsfs / u:object_r:nsfs:s0
diff --git a/target/board/generic/sepolicy/goldfish_setup.te b/target/board/generic/sepolicy/goldfish_setup.te
deleted file mode 100644
index 3041436..0000000
--- a/target/board/generic/sepolicy/goldfish_setup.te
+++ /dev/null
@@ -1,47 +0,0 @@
-# goldfish-setup service: runs init.goldfish.sh script
-type goldfish_setup, domain;
-type goldfish_setup_exec, vendor_file_type, exec_type, file_type;
-
-init_daemon_domain(goldfish_setup)
-
-# TODO(b/79502552): Invalid property access from emulator vendor
-#set_prop(goldfish_setup, debug_prop);
-allow goldfish_setup self:capability { net_admin net_raw };
-allow goldfish_setup self:udp_socket { create ioctl };
-allow goldfish_setup vendor_toolbox_exec:file execute_no_trans;
-allowxperm goldfish_setup self:udp_socket ioctl priv_sock_ioctls;
-wakelock_use(goldfish_setup);
-allow goldfish_setup vendor_shell_exec:file { rx_file_perms };
-
-# Set system properties to start services
-set_prop(goldfish_setup, ctl_default_prop);
-
-# Set up WiFi
-allow goldfish_setup self:netlink_route_socket { create nlmsg_write setopt bind getattr read write nlmsg_read };
-allow goldfish_setup self:netlink_generic_socket create_socket_perms_no_ioctl;
-allow goldfish_setup self:capability { sys_module sys_admin };
-allow goldfish_setup varrun_file:dir { mounton open read write add_name search remove_name };
-allow goldfish_setup varrun_file:file { mounton getattr create read write open unlink };
-allow goldfish_setup execns_exec:file rx_file_perms;
-allow goldfish_setup proc_net:file rw_file_perms;
-allow goldfish_setup proc:file r_file_perms;
-allow goldfish_setup nsfs:file r_file_perms;
-allow goldfish_setup system_data_file:dir getattr;
-allow goldfish_setup kernel:system module_request;
-set_prop(goldfish_setup, qemu_prop);
-get_prop(goldfish_setup, net_share_prop);
-# Allow goldfish_setup to run /system/bin/ip and /system/bin/iw
-allow goldfish_setup system_file:file execute_no_trans;
-# Allow goldfish_setup to run init.wifi.sh
-allow goldfish_setup goldfish_setup_exec:file execute_no_trans;
-#Allow goldfish_setup to run createns in its own domain
-domain_auto_trans(goldfish_setup, createns_exec, createns);
-# iw
-allow goldfish_setup sysfs:file { read open };
-# iptables
-allow goldfish_setup system_file:file lock;
-allow goldfish_setup self:rawip_socket { create getopt setopt };
-# Allow goldfish_setup to read createns proc file to get the namespace file
-allow goldfish_setup createns:file { read };
-allow goldfish_setup createns:dir { search };
-allow goldfish_setup createns:lnk_file { read };
diff --git a/target/board/generic/sepolicy/hal_camera_default.te b/target/board/generic/sepolicy/hal_camera_default.te
deleted file mode 100644
index eb88c36..0000000
--- a/target/board/generic/sepolicy/hal_camera_default.te
+++ /dev/null
@@ -1,3 +0,0 @@
-vndbinder_use(hal_camera_default);
-allow hal_camera_default hal_graphics_mapper_hwservice:hwservice_manager find;
-hal_client_domain(hal_camera_default, hal_graphics_composer)
diff --git a/target/board/generic/sepolicy/hal_cas_default.te b/target/board/generic/sepolicy/hal_cas_default.te
deleted file mode 100644
index 3ed3bee..0000000
--- a/target/board/generic/sepolicy/hal_cas_default.te
+++ /dev/null
@@ -1 +0,0 @@
-vndbinder_use(hal_cas_default);
diff --git a/target/board/generic/sepolicy/hal_drm_default.te b/target/board/generic/sepolicy/hal_drm_default.te
deleted file mode 100644
index 5a07433..0000000
--- a/target/board/generic/sepolicy/hal_drm_default.te
+++ /dev/null
@@ -1,2 +0,0 @@
-vndbinder_use(hal_drm_default);
-hal_client_domain(hal_drm_default, hal_graphics_composer)
diff --git a/target/board/generic/sepolicy/hal_drm_widevine.te b/target/board/generic/sepolicy/hal_drm_widevine.te
deleted file mode 100644
index d49000d..0000000
--- a/target/board/generic/sepolicy/hal_drm_widevine.te
+++ /dev/null
@@ -1,14 +0,0 @@
-# define SELinux domain
-type hal_drm_widevine, domain;
-hal_server_domain(hal_drm_widevine, hal_drm)
-
-type hal_drm_widevine_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_drm_widevine)
-
-allow hal_drm mediacodec:fd use;
-allow hal_drm { appdomain -isolated_app }:fd use;
-
-vndbinder_use(hal_drm_widevine);
-hal_client_domain(hal_drm_widevine, hal_graphics_composer);
-allow hal_drm_widevine mediadrm_vendor_data_file:dir create_dir_perms;
-allow hal_drm_widevine mediadrm_vendor_data_file:file create_file_perms;
diff --git a/target/board/generic/sepolicy/hal_fingerprint_default.te b/target/board/generic/sepolicy/hal_fingerprint_default.te
deleted file mode 100644
index e5b06f1..0000000
--- a/target/board/generic/sepolicy/hal_fingerprint_default.te
+++ /dev/null
@@ -1,5 +0,0 @@
-# TODO(b/36644492): Remove data_between_core_and_vendor_violators once
-# hal_fingerprint no longer directly accesses fingerprintd_data_file.
-typeattribute hal_fingerprint_default data_between_core_and_vendor_violators;
-allow hal_fingerprint_default fingerprintd_data_file:file create_file_perms;
-allow hal_fingerprint_default fingerprintd_data_file:dir rw_dir_perms;
diff --git a/target/board/generic/sepolicy/hal_gnss_default.te b/target/board/generic/sepolicy/hal_gnss_default.te
deleted file mode 100644
index 0dd3d03..0000000
--- a/target/board/generic/sepolicy/hal_gnss_default.te
+++ /dev/null
@@ -1,3 +0,0 @@
-#============= hal_gnss_default ==============
-allow hal_gnss_default vndbinder_device:chr_file { ioctl open read write };
-
diff --git a/target/board/generic/sepolicy/hal_graphics_allocator_default.te b/target/board/generic/sepolicy/hal_graphics_allocator_default.te
deleted file mode 100644
index 0c8e27d..0000000
--- a/target/board/generic/sepolicy/hal_graphics_allocator_default.te
+++ /dev/null
@@ -1,2 +0,0 @@
-allow hal_graphics_allocator_default graphics_device:dir search;
-allow hal_graphics_allocator_default graphics_device:chr_file { ioctl open read write };
diff --git a/target/board/generic/sepolicy/hal_graphics_composer_default.te b/target/board/generic/sepolicy/hal_graphics_composer_default.te
deleted file mode 100644
index 034bdef..0000000
--- a/target/board/generic/sepolicy/hal_graphics_composer_default.te
+++ /dev/null
@@ -1,3 +0,0 @@
-#============= hal_graphics_composer_default ==============
-allow hal_graphics_composer_default vndbinder_device:chr_file { ioctl open read write };
-
diff --git a/target/board/generic/sepolicy/hal_wifi_default.te b/target/board/generic/sepolicy/hal_wifi_default.te
deleted file mode 100644
index de4b996..0000000
--- a/target/board/generic/sepolicy/hal_wifi_default.te
+++ /dev/null
@@ -1 +0,0 @@
-allow hal_wifi_default hal_wifi_default:netlink_route_socket { create bind write read nlmsg_read };
diff --git a/target/board/generic/sepolicy/healthd.te b/target/board/generic/sepolicy/healthd.te
deleted file mode 100644
index ced6704..0000000
--- a/target/board/generic/sepolicy/healthd.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# Allow to read /sys/class/power_supply directory
-allow healthd sysfs:dir r_dir_perms;
diff --git a/target/board/generic/sepolicy/hostapd_nohidl.te b/target/board/generic/sepolicy/hostapd_nohidl.te
deleted file mode 100644
index add648a..0000000
--- a/target/board/generic/sepolicy/hostapd_nohidl.te
+++ /dev/null
@@ -1,16 +0,0 @@
-type hostapd_nohidl, domain;
-type hostapd_nohidl_exec, exec_type, vendor_file_type, file_type;
-
-init_daemon_domain(hostapd_nohidl)
-net_domain(hostapd_nohidl)
-
-allow hostapd_nohidl execns:fd use;
-
-allow hostapd_nohidl self:capability { net_admin net_raw };
-allow hostapd_nohidl self:netlink_generic_socket { bind create getattr read setopt write };
-allow hostapd_nohidl self:netlink_route_socket nlmsg_write;
-allow hostapd_nohidl self:packet_socket { create setopt };
-allowxperm hostapd_nohidl self:udp_socket ioctl priv_sock_ioctls;
-
-# hostapd will attempt to search sysfs but it's not needed and will spam the log
-dontaudit hostapd_nohidl sysfs_net:dir search;
diff --git a/target/board/generic/sepolicy/init.te b/target/board/generic/sepolicy/init.te
deleted file mode 100644
index 84a4e8d..0000000
--- a/target/board/generic/sepolicy/init.te
+++ /dev/null
@@ -1,2 +0,0 @@
-allow init tmpfs:lnk_file create_file_perms;
-dontaudit init kernel:system module_request;
diff --git a/target/board/generic/sepolicy/ipv6proxy.te b/target/board/generic/sepolicy/ipv6proxy.te
deleted file mode 100644
index 22976fe..0000000
--- a/target/board/generic/sepolicy/ipv6proxy.te
+++ /dev/null
@@ -1,16 +0,0 @@
-# IPv6 proxying
-type ipv6proxy, domain;
-type ipv6proxy_exec, exec_type, vendor_file_type, file_type;
-
-init_daemon_domain(ipv6proxy)
-net_domain(ipv6proxy)
-
-# Allow ipv6proxy to be run by execns in its own domain
-domain_auto_trans(execns, ipv6proxy_exec, ipv6proxy);
-allow ipv6proxy execns:fd use;
-
-allow ipv6proxy self:capability { sys_admin sys_module net_admin net_raw };
-allow ipv6proxy self:packet_socket { bind create read };
-allow ipv6proxy self:netlink_route_socket nlmsg_write;
-allow ipv6proxy varrun_file:dir search;
-allowxperm ipv6proxy self:udp_socket ioctl { SIOCSIFFLAGS SIOCGIFHWADDR };
diff --git a/target/board/generic/sepolicy/logpersist.te b/target/board/generic/sepolicy/logpersist.te
deleted file mode 100644
index 3fc0250..0000000
--- a/target/board/generic/sepolicy/logpersist.te
+++ /dev/null
@@ -1,13 +0,0 @@
-# goldfish logcat service: runs logcat -Q in logpersist domain
-
-# See global logcat.te/logpersist.te, only set for eng & userdebug,
-# allow for all builds in a non-conflicting manner.
-
-domain_auto_trans(init, logcat_exec, logpersist)
-
-# Read from logd.
-unix_socket_connect(logpersist, logdr, logd)
-
-# Write to /dev/ttyS2 and /dev/ttyGF2.
-allow logpersist serial_device:chr_file { write open };
-get_prop(logpersist, qemu_cmdline)
diff --git a/target/board/generic/sepolicy/mediacodec.te b/target/board/generic/sepolicy/mediacodec.te
deleted file mode 100644
index acf4e59..0000000
--- a/target/board/generic/sepolicy/mediacodec.te
+++ /dev/null
@@ -1 +0,0 @@
-allow mediacodec system_file:dir { open read };
diff --git a/target/board/generic/sepolicy/netd.te b/target/board/generic/sepolicy/netd.te
deleted file mode 100644
index 09a28b9..0000000
--- a/target/board/generic/sepolicy/netd.te
+++ /dev/null
@@ -1,3 +0,0 @@
-dontaudit netd self:capability sys_module;
-#TODO: This can safely be ignored until b/62954877 is fixed
-dontaudit netd kernel:system module_request;
diff --git a/target/board/generic/sepolicy/priv_app.te b/target/board/generic/sepolicy/priv_app.te
deleted file mode 100644
index 3d16f32..0000000
--- a/target/board/generic/sepolicy/priv_app.te
+++ /dev/null
@@ -1,5 +0,0 @@
-#TODO: b/62908025
-dontaudit priv_app firstboot_prop:file { getattr open };
-dontaudit priv_app device:dir { open read };
-dontaudit priv_app proc_interrupts:file { getattr open read };
-dontaudit priv_app proc_modules:file { getattr open read };
diff --git a/target/board/generic/sepolicy/property.te b/target/board/generic/sepolicy/property.te
deleted file mode 100644
index 3593a39..0000000
--- a/target/board/generic/sepolicy/property.te
+++ /dev/null
@@ -1,5 +0,0 @@
-type qemu_prop, property_type;
-type qemu_cmdline, property_type;
-type radio_noril_prop, property_type;
-type net_eth0_prop, property_type;
-type net_share_prop, property_type;
diff --git a/target/board/generic/sepolicy/property_contexts b/target/board/generic/sepolicy/property_contexts
deleted file mode 100644
index f7a241c..0000000
--- a/target/board/generic/sepolicy/property_contexts
+++ /dev/null
@@ -1,8 +0,0 @@
-qemu. u:object_r:qemu_prop:s0
-qemu.cmdline u:object_r:qemu_cmdline:s0
-vendor.qemu u:object_r:qemu_prop:s0
-ro.emu. u:object_r:qemu_prop:s0
-ro.emulator. u:object_r:qemu_prop:s0
-ro.radio.noril u:object_r:radio_noril_prop:s0
-net.eth0. u:object_r:net_eth0_prop:s0
-net.shared_net_ip u:object_r:net_share_prop:s0
diff --git a/target/board/generic/sepolicy/qemu_props.te b/target/board/generic/sepolicy/qemu_props.te
deleted file mode 100644
index b3e2d95..0000000
--- a/target/board/generic/sepolicy/qemu_props.te
+++ /dev/null
@@ -1,10 +0,0 @@
-# qemu-props service: Sets system properties on boot.
-type qemu_props, domain;
-type qemu_props_exec, vendor_file_type, exec_type, file_type;
-
-init_daemon_domain(qemu_props)
-
-set_prop(qemu_props, qemu_prop)
-# TODO(b/79502552): Invalid property access from emulator vendor
-#set_prop(qemu_props, qemu_cmdline)
-set_prop(qemu_props, qemu_cmdline)
diff --git a/target/board/generic/sepolicy/radio.te b/target/board/generic/sepolicy/radio.te
deleted file mode 100644
index 742d3b2..0000000
--- a/target/board/generic/sepolicy/radio.te
+++ /dev/null
@@ -1,3 +0,0 @@
-# Allow the radio to read these properties, they only have an SELinux label in
-# the emulator.
-get_prop(radio, net_eth0_prop);
diff --git a/target/board/generic/sepolicy/rild.te b/target/board/generic/sepolicy/rild.te
deleted file mode 100644
index ea18373..0000000
--- a/target/board/generic/sepolicy/rild.te
+++ /dev/null
@@ -1,3 +0,0 @@
-# Allow rild to read these properties, they only have an SELinux label in the
-# emulator.
-get_prop(rild, net_eth0_prop);
diff --git a/target/board/generic/sepolicy/shell.te b/target/board/generic/sepolicy/shell.te
deleted file mode 100644
index b246d7e..0000000
--- a/target/board/generic/sepolicy/shell.te
+++ /dev/null
@@ -1 +0,0 @@
-allow shell serial_device:chr_file rw_file_perms;
diff --git a/target/board/generic/sepolicy/surfaceflinger.te b/target/board/generic/sepolicy/surfaceflinger.te
deleted file mode 100644
index 2bba8a7..0000000
--- a/target/board/generic/sepolicy/surfaceflinger.te
+++ /dev/null
@@ -1,5 +0,0 @@
-allow surfaceflinger self:process execmem;
-allow surfaceflinger ashmem_device:chr_file execute;
-
-typeattribute surfaceflinger system_writes_vendor_properties_violators;
-set_prop(surfaceflinger, qemu_prop)
diff --git a/target/board/generic/sepolicy/system_server.te b/target/board/generic/sepolicy/system_server.te
deleted file mode 100644
index dd70b12..0000000
--- a/target/board/generic/sepolicy/system_server.te
+++ /dev/null
@@ -1 +0,0 @@
-get_prop(system_server, radio_noril_prop)
diff --git a/target/board/generic/sepolicy/vendor_init.te b/target/board/generic/sepolicy/vendor_init.te
deleted file mode 100644
index b18d391..0000000
--- a/target/board/generic/sepolicy/vendor_init.te
+++ /dev/null
@@ -1 +0,0 @@
-set_prop(vendor_init, qemu_prop)
diff --git a/target/board/generic/sepolicy/vold.te b/target/board/generic/sepolicy/vold.te
deleted file mode 100644
index 5f3bdd4..0000000
--- a/target/board/generic/sepolicy/vold.te
+++ /dev/null
@@ -1 +0,0 @@
-dontaudit vold kernel:system module_request;
diff --git a/target/board/generic/sepolicy/zygote.te b/target/board/generic/sepolicy/zygote.te
deleted file mode 100644
index da403b5..0000000
--- a/target/board/generic/sepolicy/zygote.te
+++ /dev/null
@@ -1,5 +0,0 @@
-typeattribute zygote system_writes_vendor_properties_violators;
-set_prop(zygote, qemu_prop)
-# TODO (b/63631799) fix this access
-# Suppress denials to storage. Webview zygote should not be accessing.
-dontaudit webview_zygote mnt_expand_file:dir getattr;
diff --git a/target/board/generic_arm64/BoardConfig.mk b/target/board/generic_arm64/BoardConfig.mk
index d4a8553..0fa05e8 100644
--- a/target/board/generic_arm64/BoardConfig.mk
+++ b/target/board/generic_arm64/BoardConfig.mk
@@ -94,7 +94,7 @@
BOARD_CACHEIMAGE_PARTITION_SIZE := 16777216
BOARD_PROPERTY_OVERRIDES_SPLIT_ENABLED := true
-BOARD_SEPOLICY_DIRS += build/target/board/generic/sepolicy
+BOARD_SEPOLICY_DIRS += device/generic/goldfish/sepolicy/common
# Android Verified Boot (AVB):
# Builds a special vbmeta.img that disables AVB verification.
diff --git a/target/board/generic_x86/BoardConfig.mk b/target/board/generic_x86/BoardConfig.mk
index 5af7e5a..684dfc7 100644
--- a/target/board/generic_x86/BoardConfig.mk
+++ b/target/board/generic_x86/BoardConfig.mk
@@ -67,8 +67,8 @@
BOARD_CACHEIMAGE_PARTITION_SIZE := 16777216
BOARD_SEPOLICY_DIRS += \
- build/target/board/generic/sepolicy \
- build/target/board/generic_x86/sepolicy
+ device/generic/goldfish/sepolicy/common \
+ device/generic/goldfish/sepolicy/x86
# Android Verified Boot (AVB):
# Builds a special vbmeta.img that disables AVB verification.
diff --git a/target/board/generic_x86/sepolicy/OWNERS b/target/board/generic_x86/sepolicy/OWNERS
deleted file mode 100644
index 3828988..0000000
--- a/target/board/generic_x86/sepolicy/OWNERS
+++ /dev/null
@@ -1,4 +0,0 @@
-jeffv@google.com
-dcashman@google.com
-jbires@google.com
-sspatil@google.com
diff --git a/target/board/generic_x86/sepolicy/domain.te b/target/board/generic_x86/sepolicy/domain.te
deleted file mode 100644
index 0bc8d87..0000000
--- a/target/board/generic_x86/sepolicy/domain.te
+++ /dev/null
@@ -1 +0,0 @@
-allow domain cpuctl_device:dir search;
diff --git a/target/board/generic_x86/sepolicy/healthd.te b/target/board/generic_x86/sepolicy/healthd.te
deleted file mode 100644
index 95fa807..0000000
--- a/target/board/generic_x86/sepolicy/healthd.te
+++ /dev/null
@@ -1 +0,0 @@
-allow healthd self:capability sys_nice;
diff --git a/target/board/generic_x86/sepolicy/init.te b/target/board/generic_x86/sepolicy/init.te
deleted file mode 100644
index 3aa81d1..0000000
--- a/target/board/generic_x86/sepolicy/init.te
+++ /dev/null
@@ -1 +0,0 @@
-allow init tmpfs:lnk_file create_file_perms;
diff --git a/target/board/generic_x86/sepolicy/installd.te b/target/board/generic_x86/sepolicy/installd.te
deleted file mode 100644
index 7a558b1..0000000
--- a/target/board/generic_x86/sepolicy/installd.te
+++ /dev/null
@@ -1 +0,0 @@
-allow installd self:process execmem;
diff --git a/target/board/generic_x86/sepolicy/zygote.te b/target/board/generic_x86/sepolicy/zygote.te
deleted file mode 100644
index 93993a4..0000000
--- a/target/board/generic_x86/sepolicy/zygote.te
+++ /dev/null
@@ -1,2 +0,0 @@
-allow zygote self:process execmem;
-allow zygote self:capability sys_nice;
diff --git a/target/board/generic_x86_64/BoardConfig.mk b/target/board/generic_x86_64/BoardConfig.mk
index 81e325e..5bcb9ad 100755
--- a/target/board/generic_x86_64/BoardConfig.mk
+++ b/target/board/generic_x86_64/BoardConfig.mk
@@ -65,8 +65,8 @@
BOARD_CACHEIMAGE_PARTITION_SIZE := 16777216
BOARD_SEPOLICY_DIRS += \
- build/target/board/generic/sepolicy \
- build/target/board/generic_x86/sepolicy
+ device/generic/goldfish/sepolicy/common \
+ device/generic/goldfish/sepolicy/x86
# Android Verified Boot (AVB):
# Builds a special vbmeta.img that disables AVB verification.
diff --git a/target/board/generic_x86_arm/BoardConfig.mk b/target/board/generic_x86_arm/BoardConfig.mk
index 131c001..c66aacc 100644
--- a/target/board/generic_x86_arm/BoardConfig.mk
+++ b/target/board/generic_x86_arm/BoardConfig.mk
@@ -61,4 +61,4 @@
BOARD_FLASH_BLOCK_SIZE := 512
TARGET_USERIMAGES_SPARSE_EXT_DISABLED := true
-BOARD_SEPOLICY_DIRS += build/target/board/generic/sepolicy
+BOARD_SEPOLICY_DIRS += device/generic/goldfish/sepolicy/common
