From 60575233bcba10e9a9063735cb1bcd747cf4730f Mon Sep 17 00:00:00 2001
From: Joel Galenson <jgalenson@google.com>
Date: Mon, 11 Dec 2017 15:05:52 -0800
Subject: [PATCH] Disallow most domains from getting dac_override and
 dac_read_search.

Instead of getting these permissions, it is better to add the process
to a group or change the permissions of the files it tries to access.

Test: Built the policy for many devices.
Change-Id: If023d98bcc479bebbedeedf525965ffb17a0e331
---
 public/domain.te | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/public/domain.te b/public/domain.te
index c09ee505f..24514bf0f 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1222,3 +1222,29 @@ full_treble_only(`
     -perfprofd
   } vendor_file:file { create_file_perms x_file_perms };
 ')
+
+# Minimize dac_override and dac_read_search.
+# Instead of granting them it is usually better to add the domain to
+# a Unix group or change the permissions of a file.
+neverallow {
+  domain
+  -dnsmasq
+  -dumpstate
+  -init
+  -installd
+  -install_recovery
+  -lmkd
+  -netd
+  -perfprofd
+  -postinstall_dexopt
+  -recovery
+  -sdcardd
+  -tee
+  -ueventd
+  -uncrypt
+  -vendor_init
+  -vold
+  -vold_prepare_subdirs
+  -zygote
+} self:capability dac_override;
+neverallow domain self:capability dac_read_search;
-- 
GitLab