Revert "Neverallow coredomain to kernel interface files."
This reverts commit 502e43f7d9f8ed2ccdd0c2d2c7aa2bc84d9c02e7.
Reason for revert: Suspected to have broken a build, see b/68792382
Bug: 68792382
Change-Id: Ib5d465b7a50a73e3d8d8edd4e6b3426a7bde4249
(cherry picked from commit 83a06805f06fa4af10fd1c655932b508e1ebe0a9)
diff --git a/private/domain.te b/private/domain.te
index b80064e..d37a0bd 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -16,119 +16,3 @@
# Limit ability to generate hardware unique device ID attestations to priv_apps
neverallow { domain -priv_app } *:keystore_key gen_unique_id;
-
-# Core domains are not permitted to use kernel interfaces which are not
-# explicitly labeled.
-# TODO(b/65643247): Apply these neverallow rules to all coredomain.
-full_treble_only(`
- # /proc
- neverallow {
- coredomain
- -dumpstate
- -init
- -platform_app
- -priv_app
- -radio
- -shell
- -system_app
- -vold
- -vendor_init
- } proc:file no_rw_file_perms;
-
- # /sys
- neverallow {
- coredomain
- -charger
- -dumpstate
- -healthd
- -init
- -mediaserver
- -priv_app
- -radio
- -storaged
- -system_app
- -system_server
- -ueventd
- -update_verifier
- -vold
- -vendor_init
- } sysfs:file no_rw_file_perms;
-
- # /dev
- neverallow {
- coredomain
- -fsck
- -init
- -shell
- -ueventd
- -vendor_init
- } device:{ blk_file file } no_rw_file_perms;
-
- # debugfs
- neverallow {
- coredomain
- -dumpstate
- -init
- -system_server
- -vendor_init
- } debugfs:file no_rw_file_perms;
-
- # tracefs
- neverallow {
- coredomain
- -atrace
- -dumpstate
- -init
- -perfprofd
- -shell
- -vendor_init
- } debugfs_tracing:file no_rw_file_perms;
-
- # inotifyfs
- neverallow {
- coredomain
- -init
- -vendor_init
- } inotify:file no_rw_file_perms;
-
- # pstorefs
- neverallow {
- coredomain
- -bootstat
- -charger
- -dumpstate
- -healthd
- -init
- -logd
- -logpersist
- -recovery_persist
- -recovery_refresh
- -shell
- -system_server
- -vendor_init
- } pstorefs:file no_rw_file_perms;
-
- # configfs
- neverallow {
- coredomain
- -init
- -system_server
- -vendor_init
- } configfs:file no_rw_file_perms;
-
- # functionfs
- neverallow {
- coredomain
- -adbd
- -init
- -mediaprovider
- -vendor_init
- }functionfs:file no_rw_file_perms;
-
- # usbfs and binfmt_miscfs
- neverallow {
- coredomain
- -init
- -vendor_init
- }{ usbfs binfmt_miscfs }:file no_rw_file_perms;
-')