From 9188e83cbda208d0dcea6c82b1ad2161306bb1f5 Mon Sep 17 00:00:00 2001
From: pix106 <sbordenave@gmail.com>
Date: Sun, 11 Sep 2022 10:48:58 +0200
Subject: [PATCH] sdm660-common: sepolicy: drop and dontaudit kill and
 sys_admin permissions.

---
 sepolicy/private/dontaudit.te        |  7 +++++++
 sepolicy/private/fsck.te             |  1 -
 sepolicy/private/kernel.te           |  1 -
 sepolicy/vendor/dontaudit.te         | 25 +++++++++++++++++++++++++
 sepolicy/vendor/hal_power_default.te |  1 -
 sepolicy/vendor/installd.te          |  1 -
 sepolicy/vendor/vendor_toolbox.te    |  3 ---
 7 files changed, 32 insertions(+), 7 deletions(-)
 create mode 100644 sepolicy/private/dontaudit.te
 delete mode 100644 sepolicy/private/fsck.te
 delete mode 100644 sepolicy/private/kernel.te
 delete mode 100644 sepolicy/vendor/installd.te

diff --git a/sepolicy/private/dontaudit.te b/sepolicy/private/dontaudit.te
new file mode 100644
index 00000000..b58e340d
--- /dev/null
+++ b/sepolicy/private/dontaudit.te
@@ -0,0 +1,7 @@
+dontaudit boringssl_self_test self:capability sys_admin;
+dontaudit fsck self:capability kill;
+dontaudit fsverity_init self:capability sys_admin;
+dontaudit kernel self:capability kill;
+dontaudit linkerconfig self:capability { kill sys_admin };
+dontaudit odsign self:capability sys_admin;
+dontaudit vendor_boringssl_self_test self:capability sys_admin;
diff --git a/sepolicy/private/fsck.te b/sepolicy/private/fsck.te
deleted file mode 100644
index 0729f110..00000000
--- a/sepolicy/private/fsck.te
+++ /dev/null
@@ -1 +0,0 @@
-allow fsck self:capability { kill };
diff --git a/sepolicy/private/kernel.te b/sepolicy/private/kernel.te
deleted file mode 100644
index 95fb85c1..00000000
--- a/sepolicy/private/kernel.te
+++ /dev/null
@@ -1 +0,0 @@
-allow kernel self:capability { kill };
diff --git a/sepolicy/vendor/dontaudit.te b/sepolicy/vendor/dontaudit.te
index 2b1c4e1c..94d78b74 100644
--- a/sepolicy/vendor/dontaudit.te
+++ b/sepolicy/vendor/dontaudit.te
@@ -1,3 +1,28 @@
 # Apps are no longer allowed open access to /dev/ashmem, unless they
 # target API level < Q.
 dontaudit untrusted_app ashmem_device:chr_file open;
+
+dontaudit adbd self:capability sys_admin;
+dontaudit blkid_untrusted self:capability sys_admin;
+dontaudit crash_dump self:capability sys_admin;
+dontaudit fsck self:capability sys_admin;
+dontaudit hal_power_default self:capability sys_admin;
+dontaudit hal_wifi_supplicant_default self:capability sys_admin;
+dontaudit installd self:capability kill;
+dontaudit irsc_util self:capability sys_admin;
+dontaudit lmkd self:capability sys_admin;
+dontaudit netutils_wrapper self:capability sys_admin;
+dontaudit rfs_access self:capability sys_admin;
+dontaudit rmt_storage self:capability sys_admin;
+dontaudit thermal-engine self:capability sys_admin;
+dontaudit toolbox self:capability { kill sys_admin };
+dontaudit ueventd self:capability sys_admin;
+dontaudit usbd self:capability sys_admin;
+dontaudit vdc self:capability sys_admin;
+dontaudit vendor_init-qti-dcvs-sh self:capability sys_admin;
+dontaudit vendor_modprobe self:capability sys_admin;
+dontaudit vendor_msm_irqbalanced self:capability sys_admin;
+dontaudit vendor_pd_mapper self:capability sys_admin;
+dontaudit vendor_toolbox self:capability sys_admin;
+dontaudit vold_prepare_subdirs self:capability sys_admin;
+
diff --git a/sepolicy/vendor/hal_power_default.te b/sepolicy/vendor/hal_power_default.te
index c10d06eb..e959aab8 100644
--- a/sepolicy/vendor/hal_power_default.te
+++ b/sepolicy/vendor/hal_power_default.te
@@ -9,7 +9,6 @@ allow hal_power_default { sysfs_devfreq sysfs_kgsl }:{ file lnk_file } rw_file_p
 allow hal_power_default sysfs_devices_system_cpu:file rw_file_perms;
 allow hal_power_default sysfs_touchpanel:dir search;
 allow hal_power_default sysfs_touchpanel:file rw_file_perms;
-allow hal_power_default self:capability sys_admin;
 
 r_dir_file(hal_power_default, sysfs_graphics)
 set_prop(hal_power_default, vendor_power_prop)
diff --git a/sepolicy/vendor/installd.te b/sepolicy/vendor/installd.te
deleted file mode 100644
index 925c9389..00000000
--- a/sepolicy/vendor/installd.te
+++ /dev/null
@@ -1 +0,0 @@
-allow installd installd:capability { kill };
diff --git a/sepolicy/vendor/vendor_toolbox.te b/sepolicy/vendor/vendor_toolbox.te
index 77dd3de1..18ddfcd1 100644
--- a/sepolicy/vendor/vendor_toolbox.te
+++ b/sepolicy/vendor/vendor_toolbox.te
@@ -1,9 +1,6 @@
 type vendor_toolbox, domain;
 init_daemon_domain(vendor_toolbox)
 
-# Allow vendor_toolbox to use sys_admin capability
-allow vendor_toolbox self:capability sys_admin;
-
 # Allow vendor_toolbox to execute /vendor/bin/toybox_vendor
 allow vendor_toolbox vendor_toolbox_exec:file execute_no_trans;