Merge "Remove unused permissions in init."
diff --git a/public/domain.te b/public/domain.te
index a914aaf..b620ec1 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -426,11 +426,9 @@
neverallow { domain -init -ueventd } sysfs_usermodehelper:file { append write };
neverallow { domain -init -vendor_init } proc_security:file { append open read write };
-# Nobody is allowed to make binder calls into init.
-# Only servicemanager may transfer binder references to init
-# vendor_init shouldn't use binder at all.
-neverallow * init:binder ~{ transfer };
-neverallow { domain -servicemanager } init:binder { transfer };
+# Init can't do anything with binder calls. If this neverallow rule is being
+# triggered, it's probably due to a service with no SELinux domain.
+neverallow * init:binder *;
neverallow * vendor_init:binder *;
# Don't allow raw read/write/open access to block_device
diff --git a/public/init.te b/public/init.te
index 55adaaa..f7ef232 100644
--- a/public/init.te
+++ b/public/init.te
@@ -553,14 +553,6 @@
allow init vold_metadata_file:dir create_dir_perms;
allow init vold_metadata_file:file getattr;
-# Allow init to use binder
-binder_use(init);
-allow init apex_service:service_manager find;
-# Allow servicemanager to pass it
-allow servicemanager init:binder transfer;
-# Allow calls from init to apexd
-allow init apexd:binder call;
-
# Allow init to touch PSI monitors
allow init proc_pressure_mem:file { rw_file_perms setattr };
@@ -585,10 +577,8 @@
# init should never execute a program without changing to another domain.
neverallow init { file_type fs_type }:file execute_no_trans;
-# init can only find the APEX service
-neverallow init { service_manager_type -apex_service }:service_manager { find };
# init can never add binder services
-neverallow init service_manager_type:service_manager { add };
+neverallow init service_manager_type:service_manager { add find };
# init can never list binder services
neverallow init servicemanager:service_manager list;