From bd2ff068d75118690f0d98c0dc86b72dc6a1ad11 Mon Sep 17 00:00:00 2001
From: Davide Garberi <dade.garberi@gmail.com>
Date: Fri, 14 Sep 2018 22:44:13 +0200
Subject: msm8996: sepolicy: Fix device related neverallows

Change-Id: Iddf2ac2f63d6f3a390e1720c11b1f334cc9729aa
Signed-off-by: Davide Garberi <dade.garberi@gmail.com>
---
 sepolicy/charger.te          | 3 ---
 sepolicy/cnd.te              | 1 -
 sepolicy/hal_perf_default.te | 1 -
 sepolicy/init.te             | 4 ++--
 sepolicy/priv_app.te         | 1 -
 sepolicy/readmac.te          | 2 --
 sepolicy/system_server.te    | 3 ---
 sepolicy/vold.te             | 1 -
 8 files changed, 2 insertions(+), 14 deletions(-)

diff --git a/sepolicy/charger.te b/sepolicy/charger.te
index b3848df..a6785af 100644
--- a/sepolicy/charger.te
+++ b/sepolicy/charger.te
@@ -1,4 +1 @@
-allow charger persist_file:dir create_dir_perms;
-allow charger persist_file:file create_file_perms;
 allow charger rtc_device:chr_file r_file_perms;
-allow charger self:capability dac_override;
diff --git a/sepolicy/cnd.te b/sepolicy/cnd.te
index 39e9d6b..09f270c 100644
--- a/sepolicy/cnd.te
+++ b/sepolicy/cnd.te
@@ -1,6 +1,5 @@
 allow cnd sysfs_msm_subsys:dir search;
 allow cnd sysfs_msm_subsys:file { open read };
 allow cnd sysfs_soc:dir search;
-allow cnd default_android_hwservice:hwservice_manager add;
 allow cnd system_data_file:dir read;
 allow cnd system_data_file:file { getattr ioctl open read };
diff --git a/sepolicy/hal_perf_default.te b/sepolicy/hal_perf_default.te
index ae707c1..47b30f4 100644
--- a/sepolicy/hal_perf_default.te
+++ b/sepolicy/hal_perf_default.te
@@ -3,4 +3,3 @@ allow hal_perf_default hal_graphics_composer_default:process signull;
 allow hal_perf_default proc_kernel_sched:file rw_file_perms;
 allow hal_perf_default sysfs_msm_subsys:dir search;
 allow hal_perf_default sysfs_soc:dir search;
-allow hal_perf_default hal_perf_default:capability dac_override;
diff --git a/sepolicy/init.te b/sepolicy/init.te
index 88d2f14..55f9fac 100644
--- a/sepolicy/init.te
+++ b/sepolicy/init.te
@@ -4,8 +4,8 @@ allow init debugfs_ipc:file relabelfrom;
 allow init proc_kernel_sched:file write;
 allow init sysfs_scsi_devices_0000:dir write;
 allow init { ion_device tee_device }:chr_file ioctl;
-allow init { hal_fingerprint_hwservice hidl_base_hwservice }:hwservice_manager add;
-allow init { sysfs sysfs_fingerprint }:file { open read write };
+allow init hidl_base_hwservice:hwservice_manager add;
+allow init sysfs_fingerprint:file { open read write };
 allow init tee_device:chr_file write;
 allow init hidl_base_hwservice:hwservice_manager add;
 allow init sysfs_fingerprint:file { open read write };
diff --git a/sepolicy/priv_app.te b/sepolicy/priv_app.te
index 2a6d0ea..be6f717 100644
--- a/sepolicy/priv_app.te
+++ b/sepolicy/priv_app.te
@@ -14,7 +14,6 @@ allow priv_app keylayout_file:dir r_file_perms;
 allow priv_app mac_perms_file:file r_file_perms;
 allow priv_app mnt_media_rw_file:dir r_dir_perms;
 allow priv_app nonplat_service_contexts_file:file r_file_perms;
-allow priv_app persist_file:dir r_dir_perms;
 allow priv_app proc_stat:file r_file_perms;
 allow priv_app radio_data_file:dir r_dir_perms;
 allow priv_app seapp_contexts_file:file r_file_perms;
diff --git a/sepolicy/readmac.te b/sepolicy/readmac.te
index 26a3551..2a16a82 100644
--- a/sepolicy/readmac.te
+++ b/sepolicy/readmac.te
@@ -8,7 +8,5 @@ init_daemon_domain(readmac)
 allow readmac persist_file:dir rw_dir_perms;
 allow readmac persist_file:file create_file_perms;
 
-allow readmac self:capability dac_override;
-
 allow readmac diag_device:chr_file rw_file_perms;
 allow readmac sysfs:file r_file_perms;
diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te
index d1bab44..51face6 100644
--- a/sepolicy/system_server.te
+++ b/sepolicy/system_server.te
@@ -1,13 +1,10 @@
 allow system_server vendor_alarm_boot_prop:file r_file_perms;
-allow system_server persist_file:dir write;
 allow system_server sysfs_fingerprint:file rw_file_perms;
 
 allow system_server install_data_file:file getattr;
 
 allow system_server zygote:process getpgid;
 
-allow system_server init:binder { call transfer };
-
 # /vendor/usr/keylayout
 r_dir_file(system_server, idc_file)
 # /vendor/usr/idc
diff --git a/sepolicy/vold.te b/sepolicy/vold.te
index 9df6017..7d67742 100644
--- a/sepolicy/vold.te
+++ b/sepolicy/vold.te
@@ -1,3 +1,2 @@
-allow vold persist_file:dir r_dir_perms;
 dontaudit vold proc_irq:dir read;
 allow vold sysfs_scsi_devices_0000:file w_file_perms;
-- 
cgit v1.2.3