Merge "Remove healthd."
diff --git a/private/atrace.te b/private/atrace.te
index d9e351c..cbb5b7c 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -44,7 +44,6 @@
# Allow notifying the processes hosting specific binder services that
# trace-related system properties have changed.
binder_use(atrace)
-allow atrace healthd:binder call;
allow atrace surfaceflinger:binder call;
allow atrace system_server:binder call;
allow atrace cameraserver:binder call;
diff --git a/private/compat/31.0/31.0.cil b/private/compat/31.0/31.0.cil
index 362b412..35059a9 100644
--- a/private/compat/31.0/31.0.cil
+++ b/private/compat/31.0/31.0.cil
@@ -3,6 +3,7 @@
(type apex_permission_data_file)
(type apex_scheduling_data_file)
(type apex_wifi_data_file)
+(type healthd_exec)
(type vr_hwc)
(type vr_hwc_exec)
diff --git a/private/coredomain.te b/private/coredomain.te
index dde80b2..f8a61d2 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -190,7 +190,6 @@
-bootstat
-charger
-dumpstate
- -healthd
userdebug_or_eng(`-incidentd')
-init
-logd
diff --git a/private/domain.te b/private/domain.te
index 85b4228..a0e188b 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -409,7 +409,6 @@
-init
-recovery
-ueventd
- -healthd
-uncrypt
-tee
-hal_bootctl_server
diff --git a/private/file_contexts b/private/file_contexts
index 18be045..14a56d5 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -292,7 +292,6 @@
/system/bin/racoon u:object_r:racoon_exec:s0
/system/xbin/su u:object_r:su_exec:s0
/system/bin/dnsmasq u:object_r:dnsmasq_exec:s0
-/system/bin/healthd u:object_r:healthd_exec:s0
/system/bin/clatd u:object_r:clatd_exec:s0
/system/bin/linker(64)? u:object_r:system_linker_exec:s0
/system/bin/linkerconfig u:object_r:linkerconfig_exec:s0
diff --git a/private/healthd.te b/private/healthd.te
index 93bc3d8..cf422ed 100644
--- a/private/healthd.te
+++ b/private/healthd.te
@@ -1,12 +1 @@
typeattribute healthd coredomain;
-
-init_daemon_domain(healthd)
-
-# Allow healthd to serve health HAL
-hal_server_domain(healthd, hal_health)
-
-# Healthd needs to tell init to continue the boot
-# process when running in charger mode.
-set_prop(healthd, system_prop)
-set_prop(healthd, exported_system_prop)
-set_prop(healthd, exported3_system_prop)
diff --git a/private/init.te b/private/init.te
index 3b64e25..09a9a5e 100644
--- a/private/init.te
+++ b/private/init.te
@@ -3,7 +3,6 @@
tmpfs_domain(init)
# Transitions to seclabel processes in init.rc
-domain_trans(init, rootfs, healthd)
domain_trans(init, rootfs, slideshow)
domain_auto_trans(init, charger_exec, charger)
domain_auto_trans(init, e2fs_exec, e2fs)
diff --git a/public/domain.te b/public/domain.te
index 95b59d8..e7853ec 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1350,11 +1350,10 @@
-coredomain
} mnt_product_file:dir *;
-# Platform must not have access to sysfs_batteryinfo, but should do it via health HAL and healthd
+# Platform must not have access to sysfs_batteryinfo, but should do it via health HAL
full_treble_only(`
neverallow {
coredomain
- -healthd
-shell
# For access to block device information under /sys/class/block.
-apexd
diff --git a/public/healthd.te b/public/healthd.te
index 05acb84..c5dcfb7 100644
--- a/public/healthd.te
+++ b/public/healthd.te
@@ -1,50 +1,4 @@
# healthd - battery/charger monitoring service daemon
+# healthd is removed. The type is kept for backwards compatibility.
+
type healthd, domain;
-type healthd_exec, system_file_type, exec_type, file_type;
-
-# Write to /dev/kmsg
-allow healthd kmsg_device:chr_file rw_file_perms;
-
-# Read access to pseudo filesystems.
-allow healthd sysfs_type:dir search;
-# Allow to read /sys/class/power_supply directory.
-allow healthd sysfs:dir r_dir_perms;
-r_dir_file(healthd, rootfs)
-r_dir_file(healthd, cgroup)
-r_dir_file(healthd, cgroup_v2)
-
-allow healthd self:global_capability_class_set { sys_tty_config };
-allow healthd self:global_capability_class_set sys_boot;
-dontaudit healthd self:global_capability_class_set sys_resource;
-
-allow healthd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-
-wakelock_use(healthd)
-
-hal_client_domain(healthd, hal_health)
-
-# Read/write to /sys/power/state
-allow healthd sysfs_power:file rw_file_perms;
-
-# TODO: added to match above sysfs rule. Remove me?
-allow healthd sysfs_usb:file write;
-
-r_dir_file(healthd, sysfs_batteryinfo)
-
-###
-### healthd: charger mode
-###
-
-# Read /sys/fs/pstore/console-ramoops
-# Don't worry about overly broad permissions for now, as there's
-# only one file in /sys/fs/pstore
-allow healthd pstorefs:dir r_dir_perms;
-allow healthd pstorefs:file r_file_perms;
-
-allow healthd graphics_device:dir r_dir_perms;
-allow healthd graphics_device:chr_file rw_file_perms;
-allow healthd input_device:dir r_dir_perms;
-allow healthd input_device:chr_file r_file_perms;
-allow healthd tty_device:chr_file rw_file_perms;
-allow healthd ashmem_device:chr_file execute;
-allow healthd proc_sysrq:file rw_file_perms;
diff --git a/public/iorapd.te b/public/iorapd.te
index b772af8..8fded0c 100644
--- a/public/iorapd.te
+++ b/public/iorapd.te
@@ -27,9 +27,6 @@
allow iorapd dumpstate:fd use;
allow iorapd dumpstate:fifo_file write;
-# talk to batteryservice
-binder_call(iorapd, healthd)
-
# TODO: does each of the service_manager allow finds above need the binder_call?
# iorapd temporarily changes its priority when running benchmarks
@@ -87,7 +84,6 @@
neverallow { domain -dumpstate -system_server -iorapd } iorapd_service:service_manager find;
neverallow iorapd {
domain
- -healthd
-servicemanager
-system_server
userdebug_or_eng(`-su')
diff --git a/public/statsd.te b/public/statsd.te
index 670f4c7..1a09586 100644
--- a/public/statsd.te
+++ b/public/statsd.te
@@ -25,7 +25,6 @@
# Allow statsd to make binder calls to any binder service.
binder_call(statsd, appdomain)
-binder_call(statsd, healthd)
binder_call(statsd, incidentd)
binder_call(statsd, system_server)
diff --git a/public/vold.te b/public/vold.te
index af3152e..c8ff749 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -221,9 +221,6 @@
binder_call(vold, system_server)
allow vold permission_service:service_manager find;
-# talk to batteryservice
-binder_call(vold, healthd)
-
# talk to keymaster
hal_client_domain(vold, hal_keymaster)
@@ -344,7 +341,6 @@
-hal_keymaster_server
-system_suspend_server
-hal_bootctl_server
- -healthd
-hwservicemanager
-iorapd_service
-keystore
diff --git a/tests/treble_sepolicy_tests.py b/tests/treble_sepolicy_tests.py
index 9209b66..27e92b1 100644
--- a/tests/treble_sepolicy_tests.py
+++ b/tests/treble_sepolicy_tests.py
@@ -20,7 +20,6 @@
# TODO(b/152813275): need to avoid allowlist for rootdir
"modprobe",
"slideshow",
- "healthd",
}
class scontext: