12 files changed, 39 insertions, 21 deletions

diff --git a/sepolicy/cnd.te b/sepolicy/cnd.te
index 6bf32b4..5b6938b 100644
--- a/sepolicy/cnd.te
+++ b/sepolicy/cnd.te
@@ -3,4 +3,3 @@ allow cnd sysfs_msm_subsys:file { getattr open read setattr };
 allow cnd sysfs_soc:dir search;
 allow cnd system_data_file:dir read;
 allow cnd system_data_file:file { getattr ioctl open read };
-allow cnd default_android_hwservice:hwservice_manager add;
diff --git a/sepolicy/dataservice_app.te b/sepolicy/dataservice_app.te
deleted file mode 100644
index c518cc5..0000000
--- a/sepolicy/dataservice_app.te
+++ /dev/null
@@ -1 +0,0 @@
-allow dataservice_app default_android_hwservice:hwservice_manager find;
diff --git a/sepolicy/ims.te b/sepolicy/ims.te
index cb96ea5..a46b104 100644
--- a/sepolicy/ims.te
+++ b/sepolicy/ims.te
@@ -2,4 +2,3 @@ allow ims sysfs_msm_subsys:dir search;
 allow ims sysfs_msm_subsys:file { getattr open read setattr };
 allow ims sysfs_soc:dir search;
 allow ims ctl_default_prop:property_service set;
-allow ims default_android_hwservice:hwservice_manager find;
diff --git a/sepolicy/init.te b/sepolicy/init.te
index 9730a6d..159809a 100644
--- a/sepolicy/init.te
+++ b/sepolicy/init.te
@@ -1,7 +1,5 @@
 typeattribute init data_between_core_and_vendor_violators;
 
-binder_call(init, system_server);
-
 allow init adsprpcd_file:filesystem { mount relabelfrom relabelto };
 allow init debugfs_ipc:dir relabelfrom;
 allow init debugfs_ipc:file relabelfrom;
diff --git a/sepolicy/netmgrd.te b/sepolicy/netmgrd.te
index c791cee..06bbe17 100644
--- a/sepolicy/netmgrd.te
+++ b/sepolicy/netmgrd.te
@@ -5,4 +5,3 @@ allow netmgrd sysfs_net:file rw_file_perms;
 allow netmgrd sysfs_soc:dir search;
 allow netmgrd property_socket:sock_file write;
 allow netmgrd init:unix_stream_socket connectto;
-allow netmgrd vendor_xlat_prop:property_service set;
diff --git a/sepolicy/neverallows.te b/sepolicy/neverallows.te
new file mode 100644
index 0000000..eeb858b
--- /dev/null
+++ b/sepolicy/neverallows.te
@@ -0,0 +1,39 @@
+# CND
+allow cnd default_android_hwservice:hwservice_manager add;
+
+# Dataservice
+allow dataservice_app default_android_hwservice:hwservice_manager find;
+
+# IMS
+allow ims default_android_hwservice:hwservice_manager find;
+
+# Init
+binder_call(init, system_server);
+
+# Netmgrd
+allow netmgrd vendor_xlat_prop:property_service set;
+
+# Perf
+binder_call(system_app, perfprofd);
+
+# Priv-app
+allow priv_app device:dir open;
+allow priv_app proc:file { getattr open };
+allow priv_app proc_interrupts:file open;
+allow priv_app proc_modules:file { getattr open };
+
+# Qti init
+allow qti_init_shell self:capability { dac_override dac_read_search };
+allow qti_init_shell system_data_file:dir { add_name write remove_name };
+allow qti_init_shell system_data_file:file { create getattr open read rename setattr unlink write };
+allow qti_init_shell file_contexts_file:file { getattr open read };
+
+# ReadMac
+allow readmac self:capability dac_override;
+
+# RFS
+allow rfs_access self:capability { dac_override dac_read_search };
+
+# SystemServer
+allow system_server dalvikcache_data_file:file { execute write };
+allow system_server vendor_camera_prop:file { getattr open read };
diff --git a/sepolicy/priv_app.te b/sepolicy/priv_app.te
index d62b1bb..0b0b72b 100644
--- a/sepolicy/priv_app.te
+++ b/sepolicy/priv_app.te
@@ -20,10 +20,6 @@ allow priv_app sepolicy_file:file r_file_perms;
 allow priv_app service_contexts_file:file r_file_perms;
 allow priv_app vendor_file:file rx_file_perms;
 allow priv_app vndservice_contexts_file:file r_file_perms;
-allow priv_app device:dir open;
-allow priv_app proc:file { getattr open };
-allow priv_app proc_interrupts:file open;
-allow priv_app proc_modules:file { getattr open };
 
 r_dir_file(priv_app, sysfs_type);
 binder_call(priv_app, hal_memtrack_default);
diff --git a/sepolicy/qti_init_shell.te b/sepolicy/qti_init_shell.te
index a62472e..a5ec8a4 100644
--- a/sepolicy/qti_init_shell.te
+++ b/sepolicy/qti_init_shell.te
@@ -2,7 +2,3 @@ allow qti_init_shell sysfs:file write;
 allow qti_init_shell vendor_radio_data_file:dir { getattr open read search setattr };
 allow qti_init_shell vfat:file { getattr open read setattr };
 allow qti_init_shell vfat:dir { open read search };
-allow qti_init_shell self:capability { dac_override dac_read_search };
-allow qti_init_shell system_data_file:dir { add_name write remove_name };
-allow qti_init_shell system_data_file:file { create getattr open read rename setattr unlink write };
-allow qti_init_shell file_contexts_file:file { getattr open read };
diff --git a/sepolicy/readmac.te b/sepolicy/readmac.te
index d25c11f..187991a 100644
--- a/sepolicy/readmac.te
+++ b/sepolicy/readmac.te
@@ -8,7 +8,5 @@ init_daemon_domain(readmac)
 allow readmac mnt_vendor_file:dir rw_dir_perms;
 allow readmac mnt_vendor_file:file create_file_perms;
 
-allow readmac self:capability dac_override;
-
 allow readmac diag_device:chr_file rw_file_perms;
 allow readmac sysfs:file r_file_perms;
diff --git a/sepolicy/rfs_access.te b/sepolicy/rfs_access.te
deleted file mode 100644
index e64a575..0000000
--- a/sepolicy/rfs_access.te
+++ /dev/null
@@ -1 +0,0 @@
-allow rfs_access self:capability { dac_override dac_read_search };
diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te
index bff7565..7dbac41 100644
--- a/sepolicy/system_app.te
+++ b/sepolicy/system_app.te
@@ -3,7 +3,6 @@ allow system_app sysfs_fingerprint:dir search;
 allow system_app shell_prop:property_service set;
 
 binder_call(system_app, wificond);
-binder_call(system_app, perfprofd);
 
 dontaudit system_app netd_service:service_manager find;
 dontaudit system_app installd_service:service_manager find;
diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te
index 2236fd4..51face6 100644
--- a/sepolicy/system_server.te
+++ b/sepolicy/system_server.te
@@ -9,6 +9,3 @@ allow system_server zygote:process getpgid;
 r_dir_file(system_server, idc_file)
 # /vendor/usr/idc
 r_dir_file(system_server, keylayout_file)
-
-allow system_server dalvikcache_data_file:file { execute write };
-allow system_server vendor_camera_prop:file { getattr open read };