From f86d54f0d1310fe0003c212f75fd7f212257b873 Mon Sep 17 00:00:00 2001
From: Alex Klyubin <klyubin@google.com>
Date: Mon, 3 Apr 2017 11:26:01 -0700
Subject: [PATCH] No access to tee domain over Unix domain sockets

The tee domain is a vendor domain. Thus it cannot be accessed by
non-vendor components over Unix domain sockets.

It appears that the rules granting this access are not needed.

Test: Flash a clean build with this change. Confirm that bullhead,
      angler, sailfish, ryu, boot without new denials.
      Confirm that YouTube, Netflix, Google Play Movies play back
      videos without new denials.
Bug: 36714625
Bug: 36715266

Change-Id: I639cecd07c9a3cfb257e62622b51b7823613472a
---
 private/surfaceflinger.te | 1 -
 public/drmserver.te       | 1 -
 public/hal_drm.te         | 2 --
 public/hal_keymaster.te   | 2 --
 public/mediaserver.te     | 3 ---
 5 files changed, 9 deletions(-)

diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index f143580dd..9f5e4fa69 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -60,7 +60,6 @@ r_dir_file(surfaceflinger, dumpstate)
 
 # Needed on some devices for playing DRM protected content,
 # but seems expected and appropriate for all devices.
-allow surfaceflinger tee:unix_stream_socket connectto;
 allow surfaceflinger tee_device:chr_file rw_file_perms;
 
 
diff --git a/public/drmserver.te b/public/drmserver.te
index 825e828bf..f752c13ee 100644
--- a/public/drmserver.te
+++ b/public/drmserver.te
@@ -31,7 +31,6 @@ type drmserver_socket, file_type;
 # Clearly, /data/app is the most logical place to create a socket.  Not.
 allow drmserver apk_data_file:dir rw_dir_perms;
 allow drmserver drmserver_socket:sock_file create_file_perms;
-allow drmserver tee:unix_stream_socket connectto;
 # Delete old socket file if present.
 allow drmserver apk_data_file:sock_file unlink;
 
diff --git a/public/hal_drm.te b/public/hal_drm.te
index 05fe34784..a773dd5fc 100644
--- a/public/hal_drm.te
+++ b/public/hal_drm.te
@@ -34,8 +34,6 @@ allow hal_drm media_data_file:file { getattr read };
 
 allow hal_drm sysfs:file r_file_perms;
 
-# Connect to tee service.
-allow hal_drm tee:unix_stream_socket connectto;
 allow hal_drm tee_device:chr_file rw_file_perms;
 
 # only allow unprivileged socket ioctl commands
diff --git a/public/hal_keymaster.te b/public/hal_keymaster.te
index d50812c39..afcd0bd9d 100644
--- a/public/hal_keymaster.te
+++ b/public/hal_keymaster.te
@@ -2,6 +2,4 @@
 binder_call(hal_keymaster_client, hal_keymaster_server)
 
 allow hal_keymaster tee_device:chr_file rw_file_perms;
-allow hal_keymaster tee:unix_stream_socket connectto;
-
 allow hal_keymaster ion_device:chr_file r_file_perms;
diff --git a/public/mediaserver.te b/public/mediaserver.te
index 93f154805..e9aa421f6 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -78,9 +78,6 @@ unix_socket_connect(mediaserver, drmserver, drmserver)
 # but seems appropriate for all devices.
 unix_socket_connect(mediaserver, bluetooth, bluetooth)
 
-# Connect to tee service.
-allow mediaserver tee:unix_stream_socket connectto;
-
 add_service(mediaserver, mediaserver_service)
 allow mediaserver activity_service:service_manager find;
 allow mediaserver appops_service:service_manager find;
-- 
GitLab