Remove sys_nice capability from domains.

Remove sys_nice capability from domains; this does not appear to be necessary
and should not be possible in particular for app domains.  If we encounter
specific instances where it should be granted, we can add it back on a
per-domain basis.  Allow it explicitly for the system_server.  Unconfined
domains get it via unconfined_domain() and the rules in unconfined.te.

Change-Id: I9669db80a04a90a22241b2fbc5236a28dcde8c6e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

domain.te

@@ -10,9 +10,6 @@ allow domain tmpfs:file { read getattr };
 # Search /storage/emulated tmpfs mount.
 allow domain tmpfs:dir r_dir_perms;
 
-# binder adjusts the nice value during IPC.
-allow domain self:capability sys_nice;
-
 # Intra-domain accesses.
 allow domain self:process ~{ execstack execheap ptrace };
 allow domain self:fd use;

system.te

@@ -8,6 +8,22 @@ permissive system;
 unconfined_domain(system);
 relabelto_domain(system);
 
+# These are the capabilities assigned by the zygote to the
+# system server.
+allow system self:capability {
+    kill
+    net_admin
+    net_bind_service
+    net_broadcast
+    net_raw
+    sys_boot
+    sys_module
+    sys_nice
+    sys_resource
+    sys_time
+    sys_tty_config
+};
+
 # Create a socket for receiving info from wpa.
 type_transition system wifi_data_file:sock_file system_wpa_socket;
 allow system self:zygote { specifyids specifyrlimits specifyseinfo };