Merge "Update compos permissions"

commit: db8d838e5abad61acb165b4bd3f8b39bb0fe0008 [log] [tgz]
author: Treehugger Robot <treehugger-gerrit@google.com> Mon Jan 24 17:01:52 2022 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Mon Jan 24 17:01:52 2022 +0000
tree: 431b461068af4a9da63aa42b80b6709cdcc92cfb
parent: 9d34085078f90040adb2c0c520a3677cd971a2bb [diff]
parent: 7409470917b8920ba8f296f3199d118393ad6563 [diff]
diff --git a/microdroid/system/private/compos.te b/microdroid/system/private/compos.te
index 41dd91a..e8960ef 100644
--- a/microdroid/system/private/compos.te
+++ b/microdroid/system/private/compos.te

@@ -7,23 +7,13 @@
 
 # Allow using various binder services
 binder_use(compos);
-use_keystore(compos);
 allow compos {
     authfs_binder_service
     dice_node_service
 }:service_manager find;
 binder_call(compos, authfs_service);
 binder_call(compos, diced);
-allow compos diced:diced { get_attestation_chain use_sign };
-
-# Allow payloads to use and manage their keys
-allow compos vm_payload_key:keystore2_key {
-    delete
-    get_info
-    manage_blob
-    rebind
-    use
-};
+allow compos diced:diced { get_attestation_chain derive };
 
 # Read artifacts created by odrefresh and create signature files.
 allow compos authfs_fuse:dir rw_dir_perms;
@@ -41,6 +31,4 @@
 dontaudit compos self:global_capability_class_set dac_override;
 
 # Allow domain transition into odrefresh and dex2oat.
-# TODO(b/209008712): Remove dex2oat once the migration is done.
 domain_auto_trans(compos, odrefresh_exec, odrefresh)
-domain_auto_trans(compos, dex2oat_exec, dex2oat)
commit	db8d838e5abad61acb165b4bd3f8b39bb0fe0008	[log] [tgz]
author	Treehugger Robot <treehugger-gerrit@google.com>	Mon Jan 24 17:01:52 2022 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Mon Jan 24 17:01:52 2022 +0000
tree	431b461068af4a9da63aa42b80b6709cdcc92cfb
parent	9d34085078f90040adb2c0c520a3677cd971a2bb [diff]
parent	7409470917b8920ba8f296f3199d118393ad6563 [diff]