Remove now-unused permissions
CompOS no longer talks directly to DICE (compos_key_helper does). odsign
no longer promotes or deletes instance CompOS files, and the key files
don't exist any more.
Bug: 218494522
Test: Manual; trigger compilation, reboot & watch odsign
Change-Id: Ibc251180122e6e4789b4be5669da3da67517b49c
diff --git a/microdroid/system/private/compos.te b/microdroid/system/private/compos.te
index c9fc32c..49bc5b3 100644
--- a/microdroid/system/private/compos.te
+++ b/microdroid/system/private/compos.te
@@ -7,13 +7,8 @@
# Allow using various binder services
binder_use(compos);
-allow compos {
- authfs_binder_service
- dice_node_service
-}:service_manager find;
+allow compos authfs_binder_service:service_manager find;
binder_call(compos, authfs_service);
-binder_call(compos, diced);
-allow compos diced:diced { get_attestation_chain derive };
# Read artifacts created by odrefresh and create signature files.
allow compos authfs_fuse:dir rw_dir_perms;
diff --git a/private/odsign.te b/private/odsign.te
index 381cf17..86a0a6b 100644
--- a/private/odsign.te
+++ b/private/odsign.te
@@ -44,10 +44,6 @@
allow odsign apex_art_data_file:dir { rw_dir_perms rmdir rename };
allow odsign apex_art_data_file:file { rw_file_perms unlink };
-# For CompOS instance & key files
-allow odsign apex_compos_data_file:dir { getattr search };
-allow odsign apex_compos_data_file:file r_file_perms;
-
# Run odrefresh to refresh ART artifacts
domain_auto_trans(odsign, odrefresh_exec, odrefresh)