virtualizationservice no longer tries to check for pKVM extension.
This was fixed in https://r.android.com/1963701, as it never worked.
This partially reverts commit 2dd48d0400ad214948d7d5863e5d90b18a07dcb1.
Change-Id: I6e7096e20fd594465fb1574b11d6fecc82f5d82f
diff --git a/private/crosvm.te b/private/crosvm.te
index b3d96c8..ec58875 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -7,7 +7,7 @@
# Most other domains shouldn't access /dev/kvm.
neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr;
-neverallow { domain -crosvm -ueventd -virtualizationservice } kvm_device:chr_file ~getattr;
+neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr;
neverallowxperm { domain -crosvm } kvm_device:chr_file ioctl ~{ KVM_CHECK_EXTENSION };
# Let crosvm mlock VM memory and page tables.
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index c4f2cd9..5f6375f 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -61,10 +61,6 @@
# Let virtualizationservice to accept vsock connection from the guest VMs
allow virtualizationservice self:vsock_socket { create_socket_perms_no_ioctl listen accept };
-# Allow virtualization to ioctl on dev/kvm only to check if protected VM is supported or not.
-allow virtualizationservice kvm_device:chr_file { open read write ioctl };
-allowxperm virtualizationservice kvm_device:chr_file ioctl KVM_CHECK_EXTENSION;
-
# Allow virtualizationservice to read/write its own sysprop. Only the process can do so.
set_prop(virtualizationservice, virtualizationservice_prop)