Disallow most domains from getting dac_override and dac_read_search.
Instead of getting these permissions, it is better to add the process
to a group or change the permissions of the files it tries to access.
Test: Built the policy for many devices.
Change-Id: If023d98bcc479bebbedeedf525965ffb17a0e331
diff --git a/public/domain.te b/public/domain.te
index c09ee50..24514bf 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1222,3 +1222,29 @@
-perfprofd
} vendor_file:file { create_file_perms x_file_perms };
')
+
+# Minimize dac_override and dac_read_search.
+# Instead of granting them it is usually better to add the domain to
+# a Unix group or change the permissions of a file.
+neverallow {
+ domain
+ -dnsmasq
+ -dumpstate
+ -init
+ -installd
+ -install_recovery
+ -lmkd
+ -netd
+ -perfprofd
+ -postinstall_dexopt
+ -recovery
+ -sdcardd
+ -tee
+ -ueventd
+ -uncrypt
+ -vendor_init
+ -vold
+ -vold_prepare_subdirs
+ -zygote
+} self:capability dac_override;
+neverallow domain self:capability dac_read_search;