Merge "[cleanup] Remove permissions about binder_device inside microdroid"
diff --git a/microdroid/Android.bp b/microdroid/Android.bp
index 0628a5b..d1dcff0 100644
--- a/microdroid/Android.bp
+++ b/microdroid/Android.bp
@@ -277,14 +277,6 @@
installable: false,
}
-prebuilt_etc {
- name: "microdroid_service_contexts",
- filename: "plat_service_contexts",
- src: "system/private/service_contexts",
- relative_install_path: "selinux",
- installable: false,
-}
-
// For CTS
se_policy_conf {
name: "microdroid_general_sepolicy.conf",
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index 7efb6af..04a9859 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -387,13 +387,6 @@
{ create relabelfrom relabelto append link rename };
neverallow domain { contextmount_type -authfs_fuse }:dir_file_class_set { write unlink };
-# Do not allow service_manager add for default service labels.
-# Instead domains should use a more specific type such as
-# system_app_service rather than the generic type.
-# New service_types are defined in {,hw,vnd}service.te and new mappings
-# from service name to service_type are defined in {,hw,vnd}service_contexts.
-neverallow * default_android_service:service_manager *;
-
neverallow { domain -init -vendor_init } vendor_default_prop:property_service set;
neverallow { domain -init } build_prop:property_service set;
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index e1db47b..8765f75 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -51,6 +51,9 @@
# Let microdroid_manager to create a vsock connection back to the host VM
allow microdroid_manager self:vsock_socket { create_socket_perms_no_ioctl };
+# Allow microdroid_manager to read the CID of the VM.
+allow microdroid_manager vsock_device:chr_file { ioctl open read };
+
# microdroid_manager is using bootstrap bionic
use_bootstrap_libs(microdroid_manager)
diff --git a/microdroid/system/private/service_contexts b/microdroid/system/private/service_contexts
deleted file mode 100644
index 837a28f..0000000
--- a/microdroid/system/private/service_contexts
+++ /dev/null
@@ -1,3 +0,0 @@
-adb u:object_r:adb_service:s0
-manager u:object_r:service_manager_service:s0
-* u:object_r:default_android_service:s0
diff --git a/microdroid/system/public/type.te b/microdroid/system/public/type.te
index 5b411b6..efc1aa3 100644
--- a/microdroid/system/public/type.te
+++ b/microdroid/system/public/type.te
@@ -1,6 +1,3 @@
# Miscellaneous types
-type adb_service, service_manager_type;
-type default_android_service, service_manager_type;
-type service_manager_service, service_manager_type;
type system_linker;
type vm_payload_key;