[dice] Remove all the sepolicy relating the hal service dice am: 5e94b1698c am: 13e58cf7b1 am: a9a8c0cb93

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2426073

Change-Id: Ia58829024a4eec19239f71fb93aa01649f08b192
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
Alice Wang 2023-02-24 21:23:06 +00:00 committed by Automerger Merge Worker
commit 4a8ab250c8
18 changed files with 5 additions and 57 deletions

View file

@ -746,16 +746,6 @@ class keystore2_key
use_dev_id
}
class diced
{
demote
demote_self
derive
get_attestation_chain
use_seal
use_sign
}
class drmservice {
consumeRights
setPlaybackStatus

View file

@ -163,8 +163,5 @@ class keystore2 # userspace
# Keystore 2.0 key permissions
class keystore2_key # userspace
# Diced permissions
class diced # userspace
class drmservice # userspace
# FLASK

View file

@ -139,9 +139,6 @@ attribute halserverdomain;
attribute halclientdomain;
expandattribute halclientdomain true;
# HALs
hal_attribute(dice);
# All types used for DMA-BUF heaps
attribute dmabuf_heap_device_type;
expandattribute dmabuf_heap_device_type false;

View file

@ -1,4 +1,9 @@
;; types removed from current policy
(type dice_maintenance_service)
(type dice_node_service)
(type diced)
(type diced_exec)
(type hal_dice_service)
(type iorap_inode2filename)
(type iorap_inode2filename_exec)
(type iorap_inode2filename_tmpfs)

View file

@ -8,7 +8,6 @@ allow crash_dump {
-apexd
-bpfloader
-crash_dump
-diced
-init
-kernel
-keystore
@ -43,7 +42,6 @@ neverallow crash_dump {
apexd
userdebug_or_eng(`-apexd')
bpfloader
diced
init
kernel
keystore

View file

@ -1,6 +0,0 @@
typeattribute diced coredomain;
init_daemon_domain(diced)
# Talk to dice HAL.
hal_client_domain(diced, hal_dice)

View file

@ -18,7 +18,6 @@ define(`dumpable_domain',`{
-bpfloader
-crash_dump
-crosvm # TODO(b/236672526): Remove exception for crosvm
-diced
-init
-kernel
-keystore

View file

@ -291,7 +291,6 @@
/system/bin/credstore u:object_r:credstore_exec:s0
/system/bin/keystore u:object_r:keystore_exec:s0
/system/bin/keystore2 u:object_r:keystore_exec:s0
/system/bin/diced u:object_r:diced_exec:s0
/system/bin/fingerprintd u:object_r:fingerprintd_exec:s0
/system/bin/gatekeeperd u:object_r:gatekeeperd_exec:s0
/system/bin/tombstoned u:object_r:tombstoned_exec:s0

View file

@ -52,7 +52,6 @@ never_profile_heap(`{
apexd
app_zygote
bpfloader
diced
hal_configstore_server
init
kernel

View file

@ -23,7 +23,6 @@ userdebug_or_eng(`
allow llkd {
domain
-apexd
-diced
-kernel
-keystore
-init

View file

@ -84,7 +84,6 @@ android.hardware.radio.voice.IRadioVoice/slot1 u:object_r:
android.hardware.radio.voice.IRadioVoice/slot2 u:object_r:hal_radio_service:s0
android.hardware.radio.voice.IRadioVoice/slot3 u:object_r:hal_radio_service:s0
android.hardware.rebootescrow.IRebootEscrow/default u:object_r:hal_rebootescrow_service:s0
android.hardware.security.dice.IDiceDevice/default u:object_r:hal_dice_service:s0
android.hardware.security.keymint.IKeyMintDevice/default u:object_r:hal_keymint_service:s0
android.hardware.security.keymint.IRemotelyProvisionedComponent/default u:object_r:hal_remotelyprovisionedcomponent_service:s0
android.hardware.gatekeeper.IGatekeeper/default u:object_r:hal_gatekeeper_service:s0
@ -136,8 +135,6 @@ android.frameworks.automotive.display.ICarDisplayProxy/default u:object_r:fwk_au
android.security.apc u:object_r:apc_service:s0
android.security.authorization u:object_r:authorization_service:s0
android.security.compat u:object_r:keystore_compat_hal_service:s0
android.security.dice.IDiceMaintenance u:object_r:dice_maintenance_service:s0
android.security.dice.IDiceNode u:object_r:dice_node_service:s0
android.security.identity u:object_r:credstore_service:s0
android.security.keystore u:object_r:keystore_service:s0
android.security.legacykeystore u:object_r:legacykeystore_service:s0

View file

@ -66,7 +66,6 @@ never_profile_perf(`{
apexd
app_zygote
bpfloader
diced
hal_configstore_server
init
kernel

View file

@ -336,7 +336,6 @@ hal_attribute(codec2);
hal_attribute(configstore);
hal_attribute(confirmationui);
hal_attribute(contexthub);
hal_attribute(dice);
hal_attribute(drm);
hal_attribute(dumpstate);
hal_attribute(evs);

View file

@ -1,11 +0,0 @@
type diced, domain;
type diced_exec, system_file_type, exec_type, file_type;
binder_use(diced)
binder_service(diced)
add_service(diced, dice_node_service)
add_service(diced, dice_maintenance_service)
# Check SELinux permissions.
selinux_check_access(diced)

View file

@ -1,4 +0,0 @@
binder_call(hal_dice_client, hal_dice_server)
hal_attribute_service(hal_dice, hal_dice_service)
binder_call(hal_dice_server, servicemanager)

View file

@ -10,8 +10,6 @@ type cameraserver_service, service_manager_type;
type fwk_camera_service, service_manager_type;
type default_android_service, service_manager_type;
type device_config_updatable_service, system_api_service, system_server_service,service_manager_type;
type dice_maintenance_service, service_manager_type;
type dice_node_service, service_manager_type;
type dnsresolver_service, service_manager_type;
type drmserver_service, service_manager_type;
type dumpstate_service, service_manager_type;
@ -285,7 +283,6 @@ type hal_can_controller_service, protected_service, hal_service_type, service_ma
type hal_cas_service, hal_service_type, service_manager_type;
type hal_confirmationui_service, protected_service, hal_service_type, service_manager_type;
type hal_contexthub_service, protected_service, hal_service_type, service_manager_type;
type hal_dice_service, protected_service, hal_service_type, service_manager_type;
type hal_drm_service, hal_service_type, service_manager_type;
type hal_dumpstate_service, protected_service, hal_service_type, service_manager_type;
type hal_evs_service, protected_service, hal_service_type, service_manager_type;

View file

@ -95,7 +95,6 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors-service(\.multihal)? u:object_r:hal_sensors_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.0-service u:object_r:hal_secure_element_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element-service.example u:object_r:hal_secure_element_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.dice-service\.non-secure-software u:object_r:hal_dice_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.keymint-service u:object_r:hal_keymint_default_exec:s0
/(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tetheroffload-service\.example u:object_r:hal_tetheroffload_default_exec:s0

View file

@ -1,5 +0,0 @@
type hal_dice_default, domain;
hal_server_domain(hal_dice_default, hal_dice)
type hal_dice_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_dice_default)