Disallow most domains from getting dac_override and dac_read_search.

Instead of getting these permissions, it is better to add the process to a group or change the permissions of the files it tries to access. Test: Built the policy for many devices. Change-Id: If023d98bcc479bebbedeedf525965ffb17a0e331

Disallow most domains from getting dac_override and dac_read_search.
60575233 · Joel Galenson · 3506ad3f · 60575233
Commit 60575233 authored 7 years ago by Joel Galenson
--- a/public/domain.te
+++ b/public/domain.te
@@ -1222,3 +1222,29 @@ full_treble_only(`
    -perfprofd
  } vendor_file:file { create_file_perms x_file_perms };
 ')
+
+# Minimize dac_override and dac_read_search.
+# Instead of granting them it is usually better to add the domain to
+# a Unix group or change the permissions of a file.
+neverallow {
+  domain
+  -dnsmasq
+  -dumpstate
+  -init
+  -installd
+  -install_recovery
+  -lmkd
+  -netd
+  -perfprofd
+  -postinstall_dexopt
+  -recovery
+  -sdcardd
+  -tee
+  -ueventd
+  -uncrypt
+  -vendor_init
+  -vold
+  -vold_prepare_subdirs
+  -zygote
+} self:capability dac_override;
+neverallow domain self:capability dac_read_search;