From 6fe1a7951b1c69d488872e442a514a4bf2c8767b Mon Sep 17 00:00:00 2001
From: Joel Galenson <jgalenson@google.com>
Date: Wed, 31 Jan 2018 10:07:32 -0800
Subject: Remove dac_override and dac_read_search.

These permissions should not be granted and currently break the build.

Test: Built policy.
Change-Id: I86eb53251887c8bdc67e138488f06774b9458342
---
 sepolicy/rmt.te              | 2 +-
 sepolicy/sensortool.te       | 2 +-
 sepolicy/servicemanager.te   | 2 +-
 sepolicy/start_hci_filter.te | 2 +-
 sepolicy/thermal-engine.te   | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/sepolicy/rmt.te b/sepolicy/rmt.te
index 6fcce6f..f5cacb3 100644
--- a/sepolicy/rmt.te
+++ b/sepolicy/rmt.te
@@ -6,7 +6,7 @@ type rmt_exec, exec_type, file_type;
 init_daemon_domain(rmt)
 
 # Drop (user, group) to (nobody, nobody)
-allow rmt self:capability { setuid setgid dac_override setpcap net_raw };
+allow rmt self:capability { setuid setgid setpcap net_raw };
 
 # opens and reads /dev/block/mmcblk0
 allow rmt root_block_device:blk_file r_file_perms;
diff --git a/sepolicy/sensortool.te b/sepolicy/sensortool.te
index f78af45..c2f44fc 100644
--- a/sepolicy/sensortool.te
+++ b/sepolicy/sensortool.te
@@ -4,7 +4,7 @@ type sensortool_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(sensortool)
 
 allow sensortool sensors_device:chr_file rw_file_perms;
-allow sensortool self:capability { dac_override sys_nice };
+allow sensortool self:capability sys_nice;
 
 allow sensortool persist_file:dir search;
 allow sensortool persist_sensortool_file:file r_file_perms;
diff --git a/sepolicy/servicemanager.te b/sepolicy/servicemanager.te
index 05923e0..6c2e37d 100644
--- a/sepolicy/servicemanager.te
+++ b/sepolicy/servicemanager.te
@@ -1,5 +1,5 @@
 # Drop (user, group) to (nobody, nobody)
-allow servicemanager self:capability { setuid setgid dac_override setpcap net_raw };
+allow servicemanager self:capability { setuid setgid setpcap net_raw };
 
 allow servicemanager init:dir search;
 allow servicemanager init:file { read open };
diff --git a/sepolicy/start_hci_filter.te b/sepolicy/start_hci_filter.te
index 0579b3f..d2704c4 100644
--- a/sepolicy/start_hci_filter.te
+++ b/sepolicy/start_hci_filter.te
@@ -4,7 +4,7 @@ type start_hci_filter_exec, exec_type, vendor_file_type, file_type;
 
 init_daemon_domain(start_hci_filter);
 
-allow start_hci_filter self:capability { setuid setgid dac_override };
+allow start_hci_filter self:capability { setuid setgid };
 
 allow start_hci_filter proc_sysrq:file rw_file_perms;
 
diff --git a/sepolicy/thermal-engine.te b/sepolicy/thermal-engine.te
index 93c2179..b2b329d 100644
--- a/sepolicy/thermal-engine.te
+++ b/sepolicy/thermal-engine.te
@@ -9,7 +9,7 @@ allow thermal-engine smem_log_device:chr_file rw_file_perms;
 
 allow thermal-engine thermal_device:chr_file rw_file_perms;
 
-allow thermal-engine self:capability { dac_read_search dac_override fsetid chown };
+allow thermal-engine self:capability { fsetid chown };
 allow thermal-engine self:capability2 wake_alarm;
 
 # Talk to qmuxd (/dev/socket/qmux_radio)
-- 
cgit v1.2.3