sdm660-common: sepolicy: drop and dontaudit kill and sys_admin permissions.

sepolicy/private/dontaudit.te

@@ -0,0 +1,7 @@
+dontaudit boringssl_self_test self:capability sys_admin;
+dontaudit fsck self:capability kill;
+dontaudit fsverity_init self:capability sys_admin;
+dontaudit kernel self:capability kill;
+dontaudit linkerconfig self:capability { kill sys_admin };
+dontaudit odsign self:capability sys_admin;
+dontaudit vendor_boringssl_self_test self:capability sys_admin;

sepolicy/private/fsck.te

@@ -1 +0,0 @@
-allow fsck self:capability { kill };

sepolicy/private/kernel.te

@@ -1 +0,0 @@
-allow kernel self:capability { kill };

sepolicy/vendor/dontaudit.te

@@ -1,3 +1,28 @@
 # Apps are no longer allowed open access to /dev/ashmem, unless they
 # target API level < Q.
 dontaudit untrusted_app ashmem_device:chr_file open;
+
+dontaudit adbd self:capability sys_admin;
+dontaudit blkid_untrusted self:capability sys_admin;
+dontaudit crash_dump self:capability sys_admin;
+dontaudit fsck self:capability sys_admin;
+dontaudit hal_power_default self:capability sys_admin;
+dontaudit hal_wifi_supplicant_default self:capability sys_admin;
+dontaudit installd self:capability kill;
+dontaudit irsc_util self:capability sys_admin;
+dontaudit lmkd self:capability sys_admin;
+dontaudit netutils_wrapper self:capability sys_admin;
+dontaudit rfs_access self:capability sys_admin;
+dontaudit rmt_storage self:capability sys_admin;
+dontaudit thermal-engine self:capability sys_admin;
+dontaudit toolbox self:capability { kill sys_admin };
+dontaudit ueventd self:capability sys_admin;
+dontaudit usbd self:capability sys_admin;
+dontaudit vdc self:capability sys_admin;
+dontaudit vendor_init-qti-dcvs-sh self:capability sys_admin;
+dontaudit vendor_modprobe self:capability sys_admin;
+dontaudit vendor_msm_irqbalanced self:capability sys_admin;
+dontaudit vendor_pd_mapper self:capability sys_admin;
+dontaudit vendor_toolbox self:capability sys_admin;
+dontaudit vold_prepare_subdirs self:capability sys_admin;
+

sepolicy/vendor/hal_power_default.te

@@ -9,7 +9,6 @@ allow hal_power_default { sysfs_devfreq sysfs_kgsl }:{ file lnk_file } rw_file_p
 allow hal_power_default sysfs_devices_system_cpu:file rw_file_perms;
 allow hal_power_default sysfs_touchpanel:dir search;
 allow hal_power_default sysfs_touchpanel:file rw_file_perms;
-allow hal_power_default self:capability sys_admin;
 
 r_dir_file(hal_power_default, sysfs_graphics)
 set_prop(hal_power_default, vendor_power_prop)

sepolicy/vendor/installd.te

@@ -1 +0,0 @@
-allow installd installd:capability { kill };

sepolicy/vendor/vendor_toolbox.te

@@ -1,9 +1,6 @@
 type vendor_toolbox, domain;
 init_daemon_domain(vendor_toolbox)
 
-# Allow vendor_toolbox to use sys_admin capability
-allow vendor_toolbox self:capability sys_admin;
-
 # Allow vendor_toolbox to execute /vendor/bin/toybox_vendor
 allow vendor_toolbox vendor_toolbox_exec:file execute_no_trans;