Merge "No access to tee domain over Unix domain sockets" into oc-dev

am: ea53e29f82

Change-Id: Ic6aa9fa02e28a6f35ad76a8387593ecd566929a7

private/surfaceflinger.te

@@ -60,7 +60,6 @@ r_dir_file(surfaceflinger, dumpstate)
 
 # Needed on some devices for playing DRM protected content,
 # but seems expected and appropriate for all devices.
-allow surfaceflinger tee:unix_stream_socket connectto;
 allow surfaceflinger tee_device:chr_file rw_file_perms;
 
 

public/drmserver.te

@@ -31,7 +31,6 @@ type drmserver_socket, file_type;
 # Clearly, /data/app is the most logical place to create a socket.  Not.
 allow drmserver apk_data_file:dir rw_dir_perms;
 allow drmserver drmserver_socket:sock_file create_file_perms;
-allow drmserver tee:unix_stream_socket connectto;
 # Delete old socket file if present.
 allow drmserver apk_data_file:sock_file unlink;
 

public/hal_drm.te

@@ -34,8 +34,6 @@ allow hal_drm media_data_file:file { getattr read };
 
 allow hal_drm sysfs:file r_file_perms;
 
-# Connect to tee service.
-allow hal_drm tee:unix_stream_socket connectto;
 allow hal_drm tee_device:chr_file rw_file_perms;
 
 # only allow unprivileged socket ioctl commands

public/hal_keymaster.te

@@ -2,6 +2,4 @@
 binder_call(hal_keymaster_client, hal_keymaster_server)
 
 allow hal_keymaster tee_device:chr_file rw_file_perms;
-allow hal_keymaster tee:unix_stream_socket connectto;
-
 allow hal_keymaster ion_device:chr_file r_file_perms;

public/mediaserver.te

@@ -78,9 +78,6 @@ unix_socket_connect(mediaserver, drmserver, drmserver)
 # but seems appropriate for all devices.
 unix_socket_connect(mediaserver, bluetooth, bluetooth)
 
-# Connect to tee service.
-allow mediaserver tee:unix_stream_socket connectto;
-
 add_service(mediaserver, mediaserver_service)
 allow mediaserver activity_service:service_manager find;
 allow mediaserver appops_service:service_manager find;