Merge "Remove unneeded permissions" into qt-dev

private/app_neverallows.te

@@ -321,9 +321,6 @@ full_treble_only(`
   }:binder { call transfer };
 ')
 
-# Untrusted apps are not allowed to find mediaextractor update service.
-neverallow all_untrusted_apps mediaextractor_update_service:service_manager find;
-
 # Access to /proc/tty/drivers, to allow apps to determine if they
 # are running in an emulated environment.
 # b/33214085 b/33814662 b/33791054 b/33211769

private/compat/28.0/28.0.cil

@@ -9,6 +9,7 @@
 (type kmem_device)
 (type mediacodec)
 (type mediacodec_exec)
+(type mediaextractor_update_service)
 (type mtd_device)
 (type qtaguid_proc)
 (type thermalcallback_hwservice)

private/service_contexts

@@ -112,9 +112,7 @@ media.log                                 u:object_r:audioserver_service:s0
 media.player                              u:object_r:mediaserver_service:s0
 media.metrics                             u:object_r:mediametrics_service:s0
 media.extractor                           u:object_r:mediaextractor_service:s0
-media.extractor.update                    u:object_r:mediaextractor_update_service:s0
 media.codec                               u:object_r:mediacodec_service:s0
-media.codec.update                        u:object_r:mediaextractor_update_service:s0
 media.resource_manager                    u:object_r:mediaserver_service:s0
 media.sound_trigger_hw                    u:object_r:audioserver_service:s0
 media.drm                                 u:object_r:mediadrmserver_service:s0

private/system_server.te

@@ -894,11 +894,6 @@ userdebug_or_eng(`
   allow system_server user_profile_data_file:file create_file_perms;
 ')
 
-userdebug_or_eng(`
-  # Allow system server to notify mediaextractor of the plugin update.
-  allow system_server mediaextractor_update_service:service_manager find;
-')
-
 # UsbDeviceManager uses /dev/usb-ffs
 allow system_server functionfs:dir search;
 allow system_server functionfs:file rw_file_perms;

public/domain.te

@@ -1397,9 +1397,3 @@ neverallow {
   -hal_omx_server
 } hal_codec2_hwservice:hwservice_manager add;
 
-neverallow {
-  domain
-  userdebug_or_eng(`-mediaextractor')
-  userdebug_or_eng(`-mediaswcodec')
-} mediaextractor_update_service:service_manager add;
-

public/mediaextractor.te

@@ -39,15 +39,6 @@ allow mediaextractor system_file:dir { read open };
 
 get_prop(mediaextractor, device_config_media_native_prop)
 
-userdebug_or_eng(`
-  # Allow extractor to add update service.
-  allow mediaextractor mediaextractor_update_service:service_manager { find add };
-
-  # Allow extractor to load media extractor plugins from update apk.
-  allow mediaextractor apk_data_file:dir search;
-  allow mediaextractor apk_data_file:file { execute open };
-')
-
 ###
 ### neverallow rules
 ###

public/mediaswcodec.te

@@ -8,13 +8,3 @@ hal_client_domain(mediaswcodec, hal_allocator)
 hal_client_domain(mediaswcodec, hal_graphics_allocator)
 
 get_prop(mediaswcodec, device_config_media_native_prop)
-
-userdebug_or_eng(`
-  binder_use(mediaswcodec)
-  # Add mediaextractor_update_service service
-  allow mediaswcodec mediaextractor_update_service:service_manager { find add };
-
-  # Allow mediaswcodec to load libs from update apk.
-  allow mediaswcodec apk_data_file:file { open read execute getattr map };
-  allow mediaswcodec apk_data_file:dir { search getattr };
-')

public/service.te

@@ -20,7 +20,6 @@ type lpdump_service,            service_manager_type;
 type mediaserver_service,       service_manager_type;
 type mediametrics_service,      service_manager_type;
 type mediaextractor_service,    service_manager_type;
-type mediaextractor_update_service, service_manager_type;
 type mediacodec_service,        service_manager_type;
 type mediadrmserver_service,    service_manager_type;
 type netd_service,              service_manager_type;