Remove unnecessary HAL permissions

Comments indicate that these permissions are used to access already open FDs. However, getattr of a directory is clearly not necessary for that, search of system_data_file is already granted to domain and following symlinks is clearly not needed for reading an already open FD. Bug: 34980020 Test: boot marlin. Test drm with google play movies, no related denials Test: cts-tradefed run cts -m CtsMediaTestCases -t \ android.media.cts.MediaCasTest 5/6 tests fail with no related selinux denials. The same 5/6 also fail in selinux permissive mode. Change-Id: Ib4b9a1e18bdc479d656b2d64917bbc0358515525

Remove unnecessary HAL permissions
89d77187 · Jeff Vander Stoep · dcee57b8 · 89d77187 · 89d77187
Commit 89d77187 authored 7 years ago by Jeff Vander Stoep
--- a/public/hal_cas.te
+++ b/public/hal_cas.te
@@ -10,9 +10,7 @@ allow hal_cas_server hidl_memory_hwservice:hwservice_manager find;
 get_prop(hal_cas, serialno_prop)
 # Read files already opened under /data
-allow hal_cas system_data_file:dir { search getattr };
 allow hal_cas system_data_file:file { getattr read };
-allow hal_cas system_data_file:lnk_file r_file_perms;
 # Read access to pseudo filesystems
 r_dir_file(hal_cas, cgroup)

--- a/public/hal_drm.te
+++ b/public/hal_drm.te
@@ -19,9 +19,7 @@ allow hal_drm system_file:file r_file_perms;
 allow hal_drm system_file:lnk_file r_file_perms;
 # Read files already opened under /data
-allow hal_drm system_data_file:dir { search getattr };
 allow hal_drm system_data_file:file { getattr read };
-allow hal_drm system_data_file:lnk_file r_file_perms;
 # Read access to pseudo filesystems
 r_dir_file(hal_drm, cgroup)