From ff2745064431351235367b1aeff586afdf3beae3 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Thu, 10 Mar 2016 14:25:14 -0800
Subject: [PATCH] system_server: clean up duplicate permissions

Remove permissions which are already covered by other permissions.

Found by running:

  sepolicy-analyze path/to/sepolicy dups

No functional change.

Change-Id: I526d1c1111df718b29e8276b024fa0788ad17c71
---
 system_server.te | 14 ++------------
 1 file changed, 2 insertions(+), 12 deletions(-)

diff --git a/system_server.te b/system_server.te
index 757591f56..fc0ad8e0b 100644
--- a/system_server.te
+++ b/system_server.te
@@ -91,7 +91,8 @@ allow system_server mediaserver:process { getsched setsched };
 
 # Read /proc/pid data for all domains. This is used by ProcessCpuTracker
 # within system_server to keep track of memory and CPU usage for
-# all processes on the device.
+# all processes on the device. In addition, /proc/pid files access is needed
+# for dumping stack traces of native processes.
 r_dir_file(system_server, domain)
 
 # Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid.
@@ -151,17 +152,6 @@ binder_service(system_server)
 # Ask debuggerd to dump backtraces for native stacks of interest.
 allow system_server { audioserver cameraserver mediaserver mediacodec mediadrmserver mediaextractor sdcardd surfaceflinger inputflinger }:debuggerd dump_backtrace;
 
-# Read /proc/pid files for dumping stack traces of native processes.
-r_dir_file(system_server, audioserver)
-r_dir_file(system_server, cameraserver)
-r_dir_file(system_server, mediaserver)
-r_dir_file(system_server, mediadrmserver)
-r_dir_file(system_server, mediaextractor)
-r_dir_file(system_server, mediacodec)
-r_dir_file(system_server, sdcardd)
-r_dir_file(system_server, surfaceflinger)
-r_dir_file(system_server, inputflinger)
-
 # Use sockets received over binder from various services.
 allow system_server audioserver:tcp_socket rw_socket_perms;
 allow system_server audioserver:udp_socket rw_socket_perms;
-- 
GitLab