Revert "Add crosvm permission to run KeyMint VM"
This reverts commit 23b712e712f473fa46e4b89833bda1ef31b9c49a.
Reason for revert: AVF early-boot solution is in place now.
We don't need this hack!
Bug: 357025924
Test: launch_cvd --noresume --console=true \
--secure_hal=guest_keymint_trusty_insecure
CF boots successfully
Change-Id: If8187a5cd8082fd2223617c2188db1559b0744b8
diff --git a/private/crosvm.te b/private/crosvm.te
index 1031f0f..ccfffa0 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -5,10 +5,6 @@
# Let crosvm open VM manager devices such as /dev/kvm.
allow crosvm vm_manager_device_type:chr_file rw_file_perms;
-# TODO(b/357025924): This is a temporary workaround to allow the KeyMint VM to use crosvm
-# directly. It should be removed once the KeyMint VM can be started with early_virtmgr
-is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, init_daemon_domain(crosvm))
-
# Most other domains shouldn't access /dev/kvm.
neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr;
neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr;
@@ -212,9 +208,6 @@
domain
-crosvm
-virtualizationmanager
- # TODO(b/357025924): This is a temporary workaround to allow the KeyMint VM to use crosvm
- # directly. It should be removed once the KeyMint VM can be started with early_virtmgr
- is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `-init')
is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `-early_virtmgr')
} crosvm_exec:file no_x_file_perms;