commit a0e696357c7f3da72ebdb6237b2343e6b8a7afac
author Priyanka Advani (xWF) <padvani@google.com> Mon Feb 24 15:31:39 2025 -0800
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Mon Feb 24 15:31:39 2025 -0800
tree b16ff8b925bb4960fc252ce3c2977bb5171c1e88
parent ea494f23bdc82ea546affd669a1ed7157b7dfa43

Revert "add sepolicy type for widevine/drm hal in system"

This reverts commit ea494f23bdc82ea546affd669a1ed7157b7dfa43.

Reason for revert: Droidmonitor created revert due to b/398929391. Will be verifying through ABTD before submission.

Change-Id: I80786a1e9c435fbec45f20ae5a49f3b374883f86

contexts/plat_file_contexts_test

diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index bff3c87..fd25d0a 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -808,9 +808,6 @@
 /system/system_ext/lib64                                          system_lib_file
 /system/system_ext/lib64/does_not_exist                           system_lib_file
 
-/system_ext/bin/hw/android.hardware.drm-service.widevine.system          hal_widevine_system_exec
-/system/system_ext/bin/hw/android.hardware.drm-service.widevine.system   hal_widevine_system_exec
-
 /vendor_dlkm                                                      vendor_file
 /vendor_dlkm/does_not_exist                                       vendor_file
 /vendor/vendor_dlkm                                               vendor_file

private/domain.te

diff --git a/private/domain.te b/private/domain.te
index 1de057a..8db40a5 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -2329,7 +2329,6 @@
     # these are permissions that should be removed, and they are here for visibility.
     -compos_fd_server   # TODO: get connections from virtmanager
     -hal_keymint_system # TODO: get connections from virtmanager
-    -hal_widevine_system # TODO: get connections from virtmanager
     -vmlauncher_app     # TODO: get connections from virtmanager
 } *:vsock_socket { connect create accept bind };
 ')

private/file_contexts

diff --git a/private/file_contexts b/private/file_contexts
index 23a895e..0b3e7f4 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -555,7 +555,6 @@
 
 /(system_ext|system/system_ext)/etc/aconfig(/.*)?                u:object_r:system_aconfig_storage_file:s0
 /(system_ext|system/system_ext)/etc/selinux/system_ext_tee_service_contexts  u:object_r:tee_service_contexts_file:s0
-/(system_ext|system/system_ext)/bin/hw/android\.hardware\.drm-service\.widevine\.system   u:object_r:hal_widevine_system_exec:s0
 
 #############################
 # VendorDlkm files

private/hal_drm.te

diff --git a/private/hal_drm.te b/private/hal_drm.te
index f24c326..211fbb7 100644
--- a/private/hal_drm.te
+++ b/private/hal_drm.te
@@ -33,7 +33,7 @@
 allow hal_drm_server shell:fifo_file write;
 
 # Allow access to ion memory allocation device
-allow { hal_drm -hal_widevine_system } ion_device:chr_file rw_file_perms;
+allow hal_drm ion_device:chr_file rw_file_perms;
 allow hal_drm hal_graphics_allocator:fd use;
 
 # Allow access to hidl_memory allocation service
@@ -42,9 +42,9 @@
 # Allow access to fds allocated by mediaserver
 allow hal_drm mediaserver:fd use;
 
-allow { hal_drm -hal_widevine_system } sysfs:file r_file_perms;
+allow hal_drm sysfs:file r_file_perms;
 
-allow { hal_drm -hal_widevine_system } tee_device:chr_file rw_file_perms;
+allow hal_drm tee_device:chr_file rw_file_perms;
 
 allow hal_drm_server { appdomain -isolated_app }:fd use;
 

private/hal_widevine_system.te

diff --git a/private/hal_widevine_system.te b/private/hal_widevine_system.te
deleted file mode 100644
index 57213b3..0000000
--- a/private/hal_widevine_system.te
+++ /dev/null
@@ -1,7 +0,0 @@
-type hal_widevine_system, domain, coredomain;
-hal_server_domain(hal_widevine_system, hal_drm)
-
-type hal_widevine_system_exec, exec_type, system_file_type, file_type;
-init_daemon_domain(hal_widevine_system)
-
-allow hal_widevine_system self:vsock_socket { create_socket_perms_no_ioctl };

private/property.te

diff --git a/private/property.te b/private/property.te
index 2796d7f..cd87e7a 100644
--- a/private/property.te
+++ b/private/property.te
@@ -79,7 +79,6 @@
 system_internal_prop(system_service_enable_prop)
 system_internal_prop(ctl_artd_pre_reboot_prop)
 system_internal_prop(trusty_security_vm_sys_prop)
-system_internal_prop(trusty_widevine_vm_sys_prop)
 system_internal_prop(hint_manager_config_prop)
 
 # Properties which can't be written outside system

private/property_contexts

diff --git a/private/property_contexts b/private/property_contexts
index 8801a17..d80931c 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -1808,9 +1808,6 @@
 # Properties related to Trusty VMs
 trusty.security_vm.nonsecure_vm_ready u:object_r:trusty_security_vm_sys_prop:s0 exact bool
 trusty.security_vm.vm_cid u:object_r:trusty_security_vm_sys_prop:s0 exact int
-trusty.widevine_vm.nonsecure_vm_ready u:object_r:trusty_widevine_vm_sys_prop:s0 exact bool
-trusty.widevine_vm.vm_cid u:object_r:trusty_widevine_vm_sys_prop:s0 exact int
-trusty.widevine_vm.port u:object_r:trusty_widevine_vm_sys_prop:s0 exact int
 
 # Properties that allows vendors to enable Trusty security VM features
 trusty.security_vm.enabled u:object_r:trusty_security_vm_sys_vendor_prop:s0 exact bool