[rpc_binder] Remove permissions about virual_machine_payload_service

This cl removes the SELinux permissions about virual_machine_payload_service / servicemanager communication. Bug: 257260848 Test: atest MicrodroidTests Change-Id: I2aeac92bdba7db1256ca48cdfca2265441882abf
2022-11-21 09:24:14 +00:00 · 2022-11-21 09:24:14 +00:00 · 33fba3f1eb
commit 33fba3f1eb
parent 45d8baf70d
5 changed files with 0 additions and 17 deletions
--- a/microdroid/system/private/compos_key_helper.te
+++ b/microdroid/system/private/compos_key_helper.te
@ -6,11 +6,6 @@ type compos_key_helper_exec, exec_type, file_type, system_file_type;
 # Block crash dumps to ensure the secrets are not leaked.
 typeattribute compos_key_helper no_crash_dump_domain;

-# Allow use of vm_payload_binder_service
-binder_use(compos_key_helper);
-allow compos_key_helper vm_payload_binder_service:service_manager find;
-binder_call(compos_key_helper, microdroid_manager);
-
 # Communicate with compos via stdin/stdout pipes
 allow compos_key_helper compos:fd use;
 allow compos_key_helper compos:fifo_file { getattr read write };
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@ -54,12 +54,6 @@ allow microdroid_manager self:vsock_socket { listen accept };
 # microdroid_manager is using bootstrap bionic
 use_bootstrap_libs(microdroid_manager)

-# microdroid_manager hosts binder services.
-binder_use(microdroid_manager)
-
-# microdroid_manager can add virtual_machine_payload_service
-add_service(microdroid_manager, vm_payload_binder_service)
-
 # microdroid_manager create /apex/vm-payload-metadata for apexd
 # TODO(b/199371341) create a new label for the file so that only microdroid_manager can create it.
 allow microdroid_manager apex_mnt_dir:dir w_dir_perms;
--- a/microdroid/system/private/microdroid_payload.te
+++ b/microdroid/system/private/microdroid_payload.te
@ -59,9 +59,5 @@ allow microdroid_payload authfs_data_file:dir search;
 allow microdroid_payload authfs_fuse:dir rw_dir_perms;
 allow microdroid_payload authfs_fuse:file create_file_perms;

-# Allow use of virtual_machine_payload_service.
-allow microdroid_payload vm_payload_binder_service:service_manager find;
-binder_call(microdroid_payload, microdroid_manager)
-
 # Allow payload to communicate with microdroid manager
 unix_socket_connect(microdroid_payload, vm_payload_service, microdroid_manager)
--- a/microdroid/system/private/service_contexts
+++ b/microdroid/system/private/service_contexts
@ -1,5 +1,4 @@
 adb                                       u:object_r:adb_service:s0
-virtual_machine_payload_service           u:object_r:vm_payload_binder_service:s0
 apexservice                               u:object_r:apex_service:s0
 authfs_service                            u:object_r:authfs_binder_service:s0
 manager                                   u:object_r:service_manager_service:s0
--- a/microdroid/system/public/type.te
+++ b/microdroid/system/public/type.te
@ -3,7 +3,6 @@ type adb_service, service_manager_type;
 type apex_service, service_manager_type;
 type authfs_binder_service, service_manager_type;
 type default_android_service, service_manager_type;
-type vm_payload_binder_service, service_manager_type;
 type service_manager_service, service_manager_type;
 type system_linker;
 type vm_payload_key;