Merge "tee domain is a vendor domain" into oc-dev

d46d3a6c · TreeHugger Robot · Android (Google) Code Review · edc53291 · 0f6c047d · d46d3a6c
Commit d46d3a6c authored 7 years ago by TreeHugger Robot Committed by Android (Google) Code Review 7 years ago
--- a/private/tee.te
+++ b/private/tee.te
-typeattribute tee coredomain;
-
 init_daemon_domain(tee)

-# TODO(b/36601092, b/36601602): Remove this once Keymaster HAL and DRM HAL no longer communicate
-# with tee daemon over sockets or once the tee daemon is moved to vendor partition
+# TODO(b/36714625, b/36715266): Remove this once drmserver, mediaserver, and surfaceflinger no
+# longer communicate with tee daemon over sockets
 typeattribute tee socket_between_core_and_vendor_violators;
--- a/public/file.te
+++ b/public/file.te
@@ -180,7 +180,7 @@ type wifi_data_file, file_type, data_file_type, core_data_file_type;
 type zoneinfo_data_file, file_type, data_file_type, core_data_file_type;
 type vold_data_file, file_type, data_file_type, core_data_file_type;
 type perfprofd_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-type tee_data_file, file_type, data_file_type, core_data_file_type;
+type tee_data_file, file_type, data_file_type;
 type update_engine_data_file, file_type, data_file_type, core_data_file_type;
 # /data/misc/trace for method traces on userdebug / eng builds
 type method_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;

--- a/public/hal_keymaster.te
+++ b/public/hal_keymaster.te
@@ -2,7 +2,6 @@
 binder_call(hal_keymaster_client, hal_keymaster_server)

 allow hal_keymaster tee_device:chr_file rw_file_perms;
-# TODO(b/36601092): Remove this once Keymaster HAL no longer talks to tee domain over Unix domain sockets
 allow hal_keymaster tee:unix_stream_socket connectto;

 allow hal_keymaster ion_device:chr_file r_file_perms;
--- a/public/tee.te
+++ b/public/tee.te
@@ -13,5 +13,8 @@ allow tee self:netlink_socket create_socket_perms_no_ioctl;
 allow tee self:netlink_generic_socket create_socket_perms_no_ioctl;
 allow tee ion_device:chr_file r_file_perms;
 r_dir_file(tee, sysfs_type)
+
+# TODO(b/36720355): Remove this once tee no longer access non-vendor files
+typeattribute tee coredata_in_vendor_violators;
 allow tee system_data_file:file { getattr read };
 allow tee system_data_file:lnk_file r_file_perms;
--- a/vendor/hal_drm_default.te
+++ b/vendor/hal_drm_default.te
@@ -7,8 +7,6 @@ init_daemon_domain(hal_drm_default)
 allow hal_drm_default mediacodec:fd use;
 allow hal_drm_default { appdomain -isolated_app }:fd use;

-# TODO(b/36601602): Remove this once DRM HAL no longer uses Unix domain sockets to talk to tee daemon
-typeattribute hal_drm_default socket_between_core_and_vendor_violators;
 # TODO (b/36601695) remove hal_drm's access to /data or move to
 # /data/vendor/hardware/hal_drm. Remove coredata_in_vendor_violators
 # attribute.

--- a/vendor/hal_keymaster_default.te
+++ b/vendor/hal_keymaster_default.te
@@ -3,6 +3,3 @@ hal_server_domain(hal_keymaster_default, hal_keymaster)

 type hal_keymaster_default_exec, exec_type, file_type;
 init_daemon_domain(hal_keymaster_default)
-
-# TODO(b/36601092): Remove this once Keymaster HAL no longer talks to tee domain over Unix domain sockets
-typeattribute hal_keymaster_default socket_between_core_and_vendor_violators;