From d96b55b88ab9e16b685cd0fff0bd11cce78a614c Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Wed, 28 Feb 2018 10:19:54 -0800
Subject: [PATCH] Remove vendor_firmware_file type

It's causing surfaceflinger denials and does not exist on other
devices. Grant kernel read access to vendor/firmware's new type.

denied { search } for comm="surfaceflinger" name="firmware"
scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:vendor_firmware_file:s0
tclass=dir

Test: boot Taimen without denials.
Bug: 68213100
Change-Id: Ib5e1187a09ba59907c29e3de51f7189d25d42b49
---
 sepolicy/vendor/bug_map       | 1 -
 sepolicy/vendor/file.te       | 2 --
 sepolicy/vendor/file_contexts | 1 -
 sepolicy/vendor/kernel.te     | 7 +++----
 4 files changed, 3 insertions(+), 8 deletions(-)
 delete mode 100644 sepolicy/vendor/bug_map

diff --git a/sepolicy/vendor/bug_map b/sepolicy/vendor/bug_map
deleted file mode 100644
index 8e72b519..00000000
--- a/sepolicy/vendor/bug_map
+++ /dev/null
@@ -1 +0,0 @@
-surfaceflinger vendor_firmware_file dir 68213100
diff --git a/sepolicy/vendor/file.te b/sepolicy/vendor/file.te
index d954c007..3d916968 100644
--- a/sepolicy/vendor/file.te
+++ b/sepolicy/vendor/file.te
@@ -71,8 +71,6 @@ type sensors_vendor_data_file, file_type, data_file_type;
 type audio_vendor_data_file, file_type, data_file_type;
 type mediadrm_vendor_data_file, file_type, data_file_type;
 
-type vendor_firmware_file, vendor_file_type, file_type;
-
 #data sysfs files
 type sysfs_data, fs_type, sysfs_type;
 
diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts
index d9290d61..e213942c 100644
--- a/sepolicy/vendor/file_contexts
+++ b/sepolicy/vendor/file_contexts
@@ -120,7 +120,6 @@
 /system/bin/move_widevine_data\.sh              u:object_r:move-widevine-data-sh_exec:s0
 
 # files in /vendor
-/vendor/firmware(/.*)?          u:object_r:vendor_firmware_file:s0
 /vendor/bin/hw/android\.hardware\.dumpstate@1\.0-service.wahoo      u:object_r:hal_dumpstate_impl_exec:s0
 /vendor/bin/hw/android\.hardware\.vr@1\.0-service.wahoo      u:object_r:hal_vr_default_exec:s0
 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service.wahoo u:object_r:hal_fingerprint_default_exec:s0
diff --git a/sepolicy/vendor/kernel.te b/sepolicy/vendor/kernel.te
index d2bf9c0f..758eb697 100644
--- a/sepolicy/vendor/kernel.te
+++ b/sepolicy/vendor/kernel.te
@@ -3,12 +3,11 @@ userdebug_or_eng(`
   allow kernel self:socket create;
 ')
 
-allow kernel vendor_firmware_file:dir search;
-allow kernel vendor_firmware_file:file r_file_perms;
-allow kernel vendor_firmware_file:lnk_file read;
-
 dontaudit kernel kernel:system module_request;
 
+# Read FDs from /vendor/firmware
+allow kernel vendor_file:file r_file_perms;
+
 allow kernel debugfs_ipc:dir search;
 allow kernel persist_file:dir search;