Merge "Enforce MAC address restrictions for priv apps."
diff --git a/apex/Android.bp b/apex/Android.bp
index 5d61303..8f11771 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -195,13 +195,6 @@
}
filegroup {
- name: "com.android.telephony-file_contexts",
- srcs: [
- "com.android.telephony-file_contexts",
- ],
-}
-
-filegroup {
name: "com.android.tzdata-file_contexts",
srcs: [
"com.android.tzdata-file_contexts",
diff --git a/apex/com.android.telephony-file_contexts b/apex/com.android.telephony-file_contexts
deleted file mode 100644
index f3a65d4..0000000
--- a/apex/com.android.telephony-file_contexts
+++ /dev/null
@@ -1 +0,0 @@
-(/.*)? u:object_r:system_file:s0
diff --git a/microdroid/system/private/tombstone_transmit.te b/microdroid/system/private/tombstone_transmit.te
index 588ebff..1887654 100644
--- a/microdroid/system/private/tombstone_transmit.te
+++ b/microdroid/system/private/tombstone_transmit.te
@@ -3,6 +3,8 @@
init_daemon_domain(tombstone_transmit)
-r_dir_file(tombstone_transmit, tombstone_data_file)
+# permission required to read the file & remove it from directory
+allow tombstone_transmit tombstone_data_file:dir { r_dir_perms write remove_name };
+allow tombstone_transmit tombstone_data_file:file { r_file_perms unlink };
allow tombstone_transmit self:{ vsock_socket } create_socket_perms_no_ioctl;
diff --git a/private/crosvm.te b/private/crosvm.te
index e47abd7..73ce3c6 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -63,9 +63,6 @@
allow crosvm adbd:fd use;
allow crosvm adbd:unix_stream_socket { read write };
-# For ACPI
-allow crosvm self:netlink_generic_socket create_socket_perms_no_ioctl;
-
# crosvm can write files in /data/local/tmp which are usually used for instance.img and logging by
# compliance tests and demo apps. Write access to instance.img is particularily important because
# the VM has to initialize the disk image on its first boot. Note that open access is still not