Merge "Revert "Revert^2 "[avf][rkp] Allow virtualizationservice to regi..."" into main

commit: 3f92c1beb3f884741d5eaed61ee1656643345a5e [log] [tgz]
author: Treehugger Robot <android-test-infra-autosubmit@system.gserviceaccount.com> Tue Nov 14 02:41:56 2023 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Tue Nov 14 02:41:56 2023 +0000
tree: 39b9e1a0194d17b6de487748e091b8320c323a4f
parent: dd034824b12b7a1b1ec83896cff1a31d645fcba5 [diff]
parent: 18bcf12fbb8e72ece28107db170aaaa0804b1f6e [diff]
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 5462037..81d90d4 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go

@@ -176,7 +176,6 @@
 		"android.service.gatekeeper.IGateKeeperService":                   []string{"gatekeeperd_service_fuzzer"},
 		"android.system.composd":                                          EXCEPTION_NO_FUZZER,
 		// TODO(b/294158658): add fuzzer
-		"android.hardware.security.keymint.IRemotelyProvisionedComponent/avf": EXCEPTION_NO_FUZZER,
 		"android.system.virtualizationservice":                            EXCEPTION_NO_FUZZER,
 		"android.system.virtualizationservice_internal.IVfioHandler":      EXCEPTION_NO_FUZZER,
 		"ambient_context":                                                 EXCEPTION_NO_FUZZER,

diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index 6e7aac4..ddaa7e2 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil

@@ -6,7 +6,6 @@
 (typeattributeset new_objects
   ( new_objects
     archive_service
-    avf_remotelyprovisionedcomponent_service
     dtbo_block_device
     ota_build_prop
     snapuserd_log_data_file

diff --git a/private/rkpd_app.te b/private/rkpd_app.te
index 4ecbbe7..509a96e 100644
--- a/private/rkpd_app.te
+++ b/private/rkpd_app.te

@@ -10,10 +10,6 @@
 # RKPD needs to be able to call the remote provisioning HALs
 hal_client_domain(rkpdapp, hal_keymint)
 
-# Grant access to AVF IRPC service
-allow rkpdapp avf_remotelyprovisionedcomponent_service:service_manager find;
-binder_call(rkpdapp, virtualizationservice)
-
 # Grant access to certain system properties related to RKP
 get_prop(rkpdapp, device_config_remote_key_provisioning_native_prop)
 set_prop(rkpdapp, remote_prov_prop)

diff --git a/private/service_contexts b/private/service_contexts
index ad22c6c..898cb14 100644
--- a/private/service_contexts
+++ b/private/service_contexts

@@ -93,7 +93,6 @@
 android.hardware.security.authgraph.IAuthGraphKeyExchange/nonsecure  u:object_r:hal_authgraph_service:s0
 android.hardware.security.keymint.IKeyMintDevice/default             u:object_r:hal_keymint_service:s0
 android.hardware.security.keymint.IRemotelyProvisionedComponent/default u:object_r:hal_remotelyprovisionedcomponent_service:s0
-android.hardware.security.keymint.IRemotelyProvisionedComponent/avf     u:object_r:avf_remotelyprovisionedcomponent_service:s0
 android.hardware.gatekeeper.IGatekeeper/default                      u:object_r:hal_gatekeeper_service:s0
 android.hardware.security.secureclock.ISecureClock/default             u:object_r:hal_secureclock_service:s0
 android.hardware.security.sharedsecret.ISharedSecret/default             u:object_r:hal_sharedsecret_service:s0

diff --git a/private/system_server.te b/private/system_server.te
index cc31d04..97e64af 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -351,8 +351,6 @@
 # permission for recovery in order not to give system server the access to
 # the low level block devices.
 not_recovery(`hal_client_domain(system_server, hal_bootctl)')
-allow system_server avf_remotelyprovisionedcomponent_service:service_manager find;
-binder_call(system_server, virtualizationservice)
 
 # Talk with graphics composer fences
 allow system_server hal_graphics_composer:fd use;

diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 432ca53..93cd04c 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te

@@ -15,9 +15,6 @@
 # Let the virtualizationservice domain register the virtualization_service with ServiceManager.
 add_service(virtualizationservice, virtualization_service)
 
-# Allow registering as a remotely provisioned component for pVM remote attestation.
-add_service(virtualizationservice, avf_remotelyprovisionedcomponent_service)
-
 # Let virtualizationservice find and communicate with vfio_handler.
 allow virtualizationservice vfio_handler_service:service_manager find;
 binder_call(virtualizationservice, vfio_handler)

diff --git a/public/service.te b/public/service.te
index 023dcfa..a208dcf 100644
--- a/public/service.te
+++ b/public/service.te

@@ -319,7 +319,6 @@
 type hal_radio_service, protected_service, hal_service_type, service_manager_type;
 type hal_rebootescrow_service, protected_service, hal_service_type, service_manager_type;
 type hal_remoteaccess_service, protected_service, hal_service_type, service_manager_type;
-type avf_remotelyprovisionedcomponent_service, protected_service, hal_service_type, service_manager_type;
 type hal_remotelyprovisionedcomponent_service, protected_service, hal_service_type, service_manager_type;
 type hal_sensors_service, protected_service, hal_service_type, service_manager_type;
 type hal_secureclock_service, protected_service, hal_service_type, service_manager_type;
commit	3f92c1beb3f884741d5eaed61ee1656643345a5e	[log] [tgz]
author	Treehugger Robot <android-test-infra-autosubmit@system.gserviceaccount.com>	Tue Nov 14 02:41:56 2023 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Tue Nov 14 02:41:56 2023 +0000
tree	39b9e1a0194d17b6de487748e091b8320c323a4f
parent	dd034824b12b7a1b1ec83896cff1a31d645fcba5 [diff]
parent	18bcf12fbb8e72ece28107db170aaaa0804b1f6e [diff]