Merge "tee domain is a vendor domain" into oc-dev
diff --git a/private/tee.te b/private/tee.te
index 01a52de..c29bee6 100644
--- a/private/tee.te
+++ b/private/tee.te
@@ -1,7 +1,5 @@
-typeattribute tee coredomain;
-
init_daemon_domain(tee)
-# TODO(b/36601092, b/36601602): Remove this once Keymaster HAL and DRM HAL no longer communicate
-# with tee daemon over sockets or once the tee daemon is moved to vendor partition
+# TODO(b/36714625, b/36715266): Remove this once drmserver, mediaserver, and surfaceflinger no
+# longer communicate with tee daemon over sockets
typeattribute tee socket_between_core_and_vendor_violators;
diff --git a/public/file.te b/public/file.te
index 21d5744..92fa4a3 100644
--- a/public/file.te
+++ b/public/file.te
@@ -180,7 +180,7 @@
type zoneinfo_data_file, file_type, data_file_type, core_data_file_type;
type vold_data_file, file_type, data_file_type, core_data_file_type;
type perfprofd_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-type tee_data_file, file_type, data_file_type, core_data_file_type;
+type tee_data_file, file_type, data_file_type;
type update_engine_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/trace for method traces on userdebug / eng builds
type method_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
diff --git a/public/hal_keymaster.te b/public/hal_keymaster.te
index 5e66c8a..d50812c 100644
--- a/public/hal_keymaster.te
+++ b/public/hal_keymaster.te
@@ -2,7 +2,6 @@
binder_call(hal_keymaster_client, hal_keymaster_server)
allow hal_keymaster tee_device:chr_file rw_file_perms;
-# TODO(b/36601092): Remove this once Keymaster HAL no longer talks to tee domain over Unix domain sockets
allow hal_keymaster tee:unix_stream_socket connectto;
allow hal_keymaster ion_device:chr_file r_file_perms;
diff --git a/public/tee.te b/public/tee.te
index 4524281..84e6492 100644
--- a/public/tee.te
+++ b/public/tee.te
@@ -13,5 +13,8 @@
allow tee self:netlink_generic_socket create_socket_perms_no_ioctl;
allow tee ion_device:chr_file r_file_perms;
r_dir_file(tee, sysfs_type)
+
+# TODO(b/36720355): Remove this once tee no longer access non-vendor files
+typeattribute tee coredata_in_vendor_violators;
allow tee system_data_file:file { getattr read };
allow tee system_data_file:lnk_file r_file_perms;
diff --git a/vendor/hal_drm_default.te b/vendor/hal_drm_default.te
index c779711..ad1762f 100644
--- a/vendor/hal_drm_default.te
+++ b/vendor/hal_drm_default.te
@@ -7,8 +7,6 @@
allow hal_drm_default mediacodec:fd use;
allow hal_drm_default { appdomain -isolated_app }:fd use;
-# TODO(b/36601602): Remove this once DRM HAL no longer uses Unix domain sockets to talk to tee daemon
-typeattribute hal_drm_default socket_between_core_and_vendor_violators;
# TODO (b/36601695) remove hal_drm's access to /data or move to
# /data/vendor/hardware/hal_drm. Remove coredata_in_vendor_violators
# attribute.
diff --git a/vendor/hal_keymaster_default.te b/vendor/hal_keymaster_default.te
index 2fd5b44..32df262 100644
--- a/vendor/hal_keymaster_default.te
+++ b/vendor/hal_keymaster_default.te
@@ -3,6 +3,3 @@
type hal_keymaster_default_exec, exec_type, file_type;
init_daemon_domain(hal_keymaster_default)
-
-# TODO(b/36601092): Remove this once Keymaster HAL no longer talks to tee domain over Unix domain sockets
-typeattribute hal_keymaster_default socket_between_core_and_vendor_violators;