Remove RemoteProvisioner and remoteprovisioning services
Bug: 273325840
Test: keystore2_test
Change-Id: I295ccdda5a3d87b568098fdf97b0ca5923e378bf
diff --git a/private/compat/33.0/33.0.cil b/private/compat/33.0/33.0.cil
index 5737284..afcebba 100644
--- a/private/compat/33.0/33.0.cil
+++ b/private/compat/33.0/33.0.cil
@@ -16,6 +16,8 @@
(type iorapd_service)
(type iorapd_tmpfs)
(type lowpan_service)
+(type remotelyprovisionedkeypool_service)
+(type remoteprovisioning_service)
(type timezone_service)
(type tzdatacheck)
(type tzdatacheck_exec)
diff --git a/private/credstore.te b/private/credstore.te
index 434808f..02e87f7 100644
--- a/private/credstore.te
+++ b/private/credstore.te
@@ -8,10 +8,6 @@
# talk to keymint, specifically for IRemotelyProvisionedComponent/default
hal_client_domain(credstore, hal_keymint)
-# credstore needs to get keys from the remotely provisioned pool
-allow credstore remotelyprovisionedkeypool_service:service_manager find;
-allow credstore keystore:keystore2 get_attestation_key;
-
# credstore needs to get keys from the RKPD
get_prop(credstore, remote_prov_prop)
allow credstore remote_provisioning_service:service_manager find;
diff --git a/private/property.te b/private/property.te
index 4fd9bc3..482e1c2 100644
--- a/private/property.te
+++ b/private/property.te
@@ -628,10 +628,8 @@
neverallow domain system_and_vendor_property_type:{file property_service} *;
neverallow {
- # Only init and the remote provisioner can set the remote_provisioning props
domain
-init
- -remote_prov_app
-shell
} remote_prov_prop:property_service set;
diff --git a/private/remote_prov_app.te b/private/remote_prov_app.te
deleted file mode 100644
index d5f8e3f..0000000
--- a/private/remote_prov_app.te
+++ /dev/null
@@ -1,18 +0,0 @@
-type remote_prov_app, domain;
-typeattribute remote_prov_app coredomain;
-
-app_domain(remote_prov_app)
-net_domain(remote_prov_app)
-
-set_prop(remote_prov_app, remote_prov_prop)
-# The app needs access to properly build a DeviceInfo package for the verifying server
-get_prop(remote_prov_app, vendor_security_patch_level_prop)
-
-# if rkpd is enabled, remote provisioner is a noop
-get_prop(remote_prov_app, device_config_remote_key_provisioning_native_prop)
-
-allow remote_prov_app {
- app_api_service
- mediametrics_service
- remoteprovisioning_service
-}:service_manager find;
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 24e58bf..48ddeb8 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -152,7 +152,6 @@
neverallow name=com.android.sdksandbox domain=((?!sdk_sandbox).)*
user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
-user=_app isPrivApp=true name=com.android.remoteprovisioner domain=remote_prov_app type=app_data_file levelFrom=all
user=system seinfo=platform domain=system_app type=system_app_data_file
user=system seinfo=platform isPrivApp=true name=com.android.DeviceAsWebcam domain=device_as_webcam type=system_app_data_file levelFrom=all
user=bluetooth seinfo=bluetooth domain=bluetooth type=bluetooth_data_file
diff --git a/private/service_contexts b/private/service_contexts
index 6543e3f..91b114f 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -140,8 +140,6 @@
android.security.legacykeystore u:object_r:legacykeystore_service:s0
android.security.maintenance u:object_r:keystore_maintenance_service:s0
android.security.metrics u:object_r:keystore_metrics_service:s0
-android.security.remoteprovisioning u:object_r:remoteprovisioning_service:s0
-android.security.remoteprovisioning.IRemotelyProvisionedKeyPool u:object_r:remotelyprovisionedkeypool_service:s0
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
android.system.composd u:object_r:compos_service:s0
android.system.virtualizationservice u:object_r:virtualization_service:s0