Remove now-unused permissions CompOS no longer talks directly to DICE (compos_key_helper does). odsign no longer promotes or deletes instance CompOS files, and the key files don't exist any more. Bug: 218494522 Test: Manual; trigger compilation, reboot & watch odsign Change-Id: Ibc251180122e6e4789b4be5669da3da67517b49c

commit: 0c5449b193646415c43160994512ff3dd91eedf5 [log] [tgz]
author: Alan Stokes <alanstokes@google.com> Thu Feb 17 18:01:46 2022 +0000
committer: Alan Stokes <alanstokes@google.com> Tue Feb 22 17:40:05 2022 +0000
tree: e746cb0fe01fa8a47bf5f304ff39dfb26db0cdfe
parent: dc4332b32b3c7d352743af8d90f1eaea0813447d [diff]
diff --git a/microdroid/system/private/compos.te b/microdroid/system/private/compos.te
index c9fc32c..49bc5b3 100644
--- a/microdroid/system/private/compos.te
+++ b/microdroid/system/private/compos.te

@@ -7,13 +7,8 @@
 
 # Allow using various binder services
 binder_use(compos);
-allow compos {
-    authfs_binder_service
-    dice_node_service
-}:service_manager find;
+allow compos authfs_binder_service:service_manager find;
 binder_call(compos, authfs_service);
-binder_call(compos, diced);
-allow compos diced:diced { get_attestation_chain derive };
 
 # Read artifacts created by odrefresh and create signature files.
 allow compos authfs_fuse:dir rw_dir_perms;
commit	0c5449b193646415c43160994512ff3dd91eedf5	[log] [tgz]
author	Alan Stokes <alanstokes@google.com>	Thu Feb 17 18:01:46 2022 +0000
committer	Alan Stokes <alanstokes@google.com>	Tue Feb 22 17:40:05 2022 +0000
tree	e746cb0fe01fa8a47bf5f304ff39dfb26db0cdfe
parent	dc4332b32b3c7d352743af8d90f1eaea0813447d [diff]