Merge "[cleanup] Remove permissions about binder_device inside microdroid"
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index ec6b7f8..04a9859 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -46,13 +46,6 @@
allow domain null_device:chr_file rw_file_perms;
allow domain zero_device:chr_file rw_file_perms;
-# /dev/binder can be accessed by ... everyone! :)
-allow domain binder_device:chr_file rw_file_perms;
-
-# Restrict binder ioctls to an allowlist. Additional ioctl commands may be
-# added to individual domains, but this sets safe defaults for all processes.
-allowxperm domain binder_device:chr_file ioctl { unpriv_binder_ioctls };
-
allow domain ptmx_device:chr_file rw_file_perms;
allow domain random_device:chr_file rw_file_perms;
allow domain proc_random:dir r_dir_perms;
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index 60becf8..ae9b095 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -34,7 +34,6 @@
/dev(/.*)? u:object_r:device:s0
/dev/ashmem u:object_r:ashmem_device:s0
/dev/ashmem(.*)? u:object_r:ashmem_libcutils_device:s0
-/dev/binder u:object_r:binder_device:s0
/dev/block(/.*)? u:object_r:block_device:s0
/dev/block/dm-[0-9]+ u:object_r:dm_device:s0
/dev/block/loop[0-9]* u:object_r:loop_device:s0
@@ -55,7 +54,6 @@
/dev/hvc1 u:object_r:serial_device:s0
/dev/hvc2 u:object_r:log_device:s0
/dev/hw_random u:object_r:hw_random_device:s0
-/dev/hwbinder u:object_r:hwbinder_device:s0
/dev/loop-control u:object_r:loop_control_device:s0
/dev/ppp u:object_r:ppp_device:s0
/dev/ptmx u:object_r:ptmx_device:s0
@@ -86,7 +84,6 @@
/dev/uio[0-9]* u:object_r:uio_device:s0
/dev/urandom u:object_r:random_device:s0
/dev/vhost-vsock u:object_r:kvm_device:s0
-/dev/vndbinder u:object_r:vndbinder_device:s0
/dev/vsock u:object_r:vsock_device:s0
/dev/zero u:object_r:zero_device:s0
/dev/__properties__ u:object_r:properties_device:s0
diff --git a/microdroid/system/private/genfs_contexts b/microdroid/system/private/genfs_contexts
index 14dbb90..40decfe 100644
--- a/microdroid/system/private/genfs_contexts
+++ b/microdroid/system/private/genfs_contexts
@@ -357,10 +357,6 @@
genfscon securityfs / u:object_r:securityfs:s0
-genfscon binder /binder u:object_r:binder_device:s0
-genfscon binder /hwbinder u:object_r:hwbinder_device:s0
-genfscon binder /vndbinder u:object_r:vndbinder_device:s0
-
genfscon inotifyfs / u:object_r:inotify:s0
genfscon vfat / u:object_r:vfat:s0
genfscon exfat / u:object_r:exfat:s0
diff --git a/microdroid/system/private/init.te b/microdroid/system/private/init.te
index 19b7256..283775e 100644
--- a/microdroid/system/private/init.te
+++ b/microdroid/system/private/init.te
@@ -230,11 +230,9 @@
allow init { fs_type -contextmount_type -fusefs_type -rootfs }:dir { open read setattr search };
allow init {
- binder_device
console_device
devpts
dm_device
- hwbinder_device
kmsg_device
null_device
owntty_device
diff --git a/microdroid/system/public/device.te b/microdroid/system/public/device.te
index 27efdc4..8c6f777 100644
--- a/microdroid/system/public/device.te
+++ b/microdroid/system/public/device.te
@@ -1,6 +1,5 @@
type ashmem_device, dev_type;
type ashmem_libcutils_device, dev_type;
-type binder_device, dev_type;
type block_device, dev_type;
type console_device, dev_type;
type device, dev_type, fs_type;
@@ -11,7 +10,6 @@
type dmabuf_system_secure_heap_device, dev_type, dmabuf_heap_device_type;
type fuse_device, dev_type;
type hw_random_device, dev_type;
-type hwbinder_device, dev_type;
type kmsg_debug_device, dev_type;
type kmsg_device, dev_type;
type kvm_device, dev_type;
@@ -37,6 +35,5 @@
type uio_device, dev_type;
type userdata_sysdev, dev_type;
type vd_device, dev_type;
-type vndbinder_device, dev_type;
type vsock_device, dev_type;
type zero_device, dev_type;