From ece557dc7a93106e8e6f144b599a2e23b0ce0e49 Mon Sep 17 00:00:00 2001 From: Alice Wang Date: Tue, 31 Oct 2023 15:01:15 +0000 Subject: [PATCH] Revert "[avf][rkp] Allow virtualizationservice to register RKP H..." Revert submission 2778549-expose-avf-rkp-hal Reason for revert: SELinux denial avc: denied { find } for pid=3400 uid=10085 name=android.hardware.security.keymint.IRemotelyProvisionedComponent/avf scontext=u:r:rkpdapp:s0:c85,c256,c512,c768 tcontext=u:object_r:avf_remotelyprovisionedcomponent_service:s0 tclass=service_manager permissive=0 Reverted changes: /q/submissionid:2778549-expose-avf-rkp-hal Bug: 308596709 Change-Id: If8e448e745f2701cf00e7757d0a079d8700d43c0 --- build/soong/service_fuzzer_bindings.go | 1 - private/compat/34.0/34.0.ignore.cil | 1 - private/service_contexts | 1 - private/virtualizationservice.te | 3 --- public/service.te | 1 - 5 files changed, 7 deletions(-) diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go index b03efa680..44c3243fc 100644 --- a/build/soong/service_fuzzer_bindings.go +++ b/build/soong/service_fuzzer_bindings.go @@ -174,7 +174,6 @@ var ( "android.service.gatekeeper.IGateKeeperService": []string{"gatekeeperd_service_fuzzer"}, "android.system.composd": EXCEPTION_NO_FUZZER, // TODO(b/294158658): add fuzzer - "android.hardware.security.keymint.IRemotelyProvisionedComponent/avf": EXCEPTION_NO_FUZZER, "android.system.virtualizationservice": EXCEPTION_NO_FUZZER, "android.system.virtualizationservice_internal.IVfioHandler": EXCEPTION_NO_FUZZER, "ambient_context": EXCEPTION_NO_FUZZER, diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil index cfe0a3a13..69902d81f 100644 --- a/private/compat/34.0/34.0.ignore.cil +++ b/private/compat/34.0/34.0.ignore.cil @@ -6,7 +6,6 @@ (typeattributeset new_objects ( new_objects archive_service - avf_remotelyprovisionedcomponent_service dtbo_block_device ota_build_prop snapuserd_log_data_file diff --git a/private/service_contexts b/private/service_contexts index 6c5f1ee48..a1fb06b26 100644 --- a/private/service_contexts +++ b/private/service_contexts @@ -91,7 +91,6 @@ android.hardware.radio.voice.IRadioVoice/slot3 u:object_r: android.hardware.rebootescrow.IRebootEscrow/default u:object_r:hal_rebootescrow_service:s0 android.hardware.security.keymint.IKeyMintDevice/default u:object_r:hal_keymint_service:s0 android.hardware.security.keymint.IRemotelyProvisionedComponent/default u:object_r:hal_remotelyprovisionedcomponent_service:s0 -android.hardware.security.keymint.IRemotelyProvisionedComponent/avf u:object_r:avf_remotelyprovisionedcomponent_service:s0 android.hardware.gatekeeper.IGatekeeper/default u:object_r:hal_gatekeeper_service:s0 android.hardware.security.secureclock.ISecureClock/default u:object_r:hal_secureclock_service:s0 android.hardware.security.sharedsecret.ISharedSecret/default u:object_r:hal_sharedsecret_service:s0 diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te index 432ca53f9..93cd04c71 100644 --- a/private/virtualizationservice.te +++ b/private/virtualizationservice.te @@ -15,9 +15,6 @@ binder_use(virtualizationservice) # Let the virtualizationservice domain register the virtualization_service with ServiceManager. add_service(virtualizationservice, virtualization_service) -# Allow registering as a remotely provisioned component for pVM remote attestation. -add_service(virtualizationservice, avf_remotelyprovisionedcomponent_service) - # Let virtualizationservice find and communicate with vfio_handler. allow virtualizationservice vfio_handler_service:service_manager find; binder_call(virtualizationservice, vfio_handler) diff --git a/public/service.te b/public/service.te index ba7921a10..e018e40c4 100644 --- a/public/service.te +++ b/public/service.te @@ -315,7 +315,6 @@ type hal_power_stats_service, protected_service, hal_service_type, service_manag type hal_radio_service, protected_service, hal_service_type, service_manager_type; type hal_rebootescrow_service, protected_service, hal_service_type, service_manager_type; type hal_remoteaccess_service, protected_service, hal_service_type, service_manager_type; -type avf_remotelyprovisionedcomponent_service, protected_service, hal_service_type, service_manager_type; type hal_remotelyprovisionedcomponent_service, protected_service, hal_service_type, service_manager_type; type hal_sensors_service, protected_service, hal_service_type, service_manager_type; type hal_secureclock_service, protected_service, hal_service_type, service_manager_type;