No access to tee domain over Unix domain sockets

The tee domain is a vendor domain. Thus it cannot be accessed by non-vendor components over Unix domain sockets. It appears that the rules granting this access are not needed. Test: Flash a clean build with this change. Confirm that bullhead, angler, sailfish, ryu, boot without new denials. Confirm that YouTube, Netflix, Google Play Movies play back videos without new denials. Bug: 36714625 Bug: 36715266 Change-Id: I639cecd07c9a3cfb257e62622b51b7823613472a

No access to tee domain over Unix domain sockets
f86d54f0 · Alex Klyubin · ed82acb9 · f86d54f0 · f86d54f0 · f86d54f0
Commit f86d54f0 authored 7 years ago by Alex Klyubin
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -60,7 +60,6 @@ r_dir_file(surfaceflinger, dumpstate)
 # Needed on some devices for playing DRM protected content,
 # but seems expected and appropriate for all devices.
-allow surfaceflinger tee:unix_stream_socket connectto;
 allow surfaceflinger tee_device:chr_file rw_file_perms;

--- a/public/drmserver.te
+++ b/public/drmserver.te
@@ -31,7 +31,6 @@ type drmserver_socket, file_type;
 # Clearly, /data/app is the most logical place to create a socket.  Not.
 allow drmserver apk_data_file:dir rw_dir_perms;
 allow drmserver drmserver_socket:sock_file create_file_perms;
-allow drmserver tee:unix_stream_socket connectto;
 # Delete old socket file if present.
 allow drmserver apk_data_file:sock_file unlink;

--- a/public/hal_drm.te
+++ b/public/hal_drm.te
@@ -34,8 +34,6 @@ allow hal_drm media_data_file:file { getattr read };
 allow hal_drm sysfs:file r_file_perms;
-# Connect to tee service.
-allow hal_drm tee:unix_stream_socket connectto;
 allow hal_drm tee_device:chr_file rw_file_perms;
 # only allow unprivileged socket ioctl commands

--- a/public/hal_keymaster.te
+++ b/public/hal_keymaster.te
@@ -2,6 +2,4 @@
 binder_call(hal_keymaster_client, hal_keymaster_server)
 allow hal_keymaster tee_device:chr_file rw_file_perms;
-allow hal_keymaster tee:unix_stream_socket connectto;
 allow hal_keymaster ion_device:chr_file r_file_perms;
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -78,9 +78,6 @@ unix_socket_connect(mediaserver, drmserver, drmserver)
 # but seems appropriate for all devices.
 unix_socket_connect(mediaserver, bluetooth, bluetooth)
-# Connect to tee service.
-allow mediaserver tee:unix_stream_socket connectto;
 add_service(mediaserver, mediaserver_service)
 allow mediaserver activity_service:service_manager find;
 allow mediaserver appops_service:service_manager find;