commit 8a6cc52ed7480eb522537aa7c954c227e10e1aaa
author Tri Vo <trong@google.com> Wed Nov 28 13:47:44 2018 -0800
committer Tri Vo <trong@google.com> Thu Nov 29 04:56:18 2018 +0000
tree a01366dee880c1021beae56a573599c669476bdf
parent 0096e7af575e4a7aba76f7dc5604cb47ea9e38fb

Remove coredomain /dev access no longer needed after Treble

According to go/sedenials (internal dogfooding), coredomain access to
following types is not exercised and can be removed:
iio_device
radio_device
tee_device

Access to audio_device is still needed since some ALSA interfaces
(/dev/snd/*) are directly used by system_server.

Bug: 110962171
Test: m selinux_policy
Change-Id: I740b99813e1f93136bfcaec087b74f0e03b259ad

private/system_server.te

diff --git a/private/system_server.te b/private/system_server.te
index 4cf8ae0..1466e6c 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -326,10 +326,8 @@
 allow system_server mdns_socket:sock_file rw_file_perms;
 allow system_server alarm_device:chr_file rw_file_perms;
 allow system_server gpu_device:chr_file rw_file_perms;
-allow system_server iio_device:chr_file rw_file_perms;
 allow system_server input_device:dir r_dir_perms;
 allow system_server input_device:chr_file rw_file_perms;
-allow system_server radio_device:chr_file r_file_perms;
 allow system_server tty_device:chr_file rw_file_perms;
 allow system_server usbaccessory_device:chr_file rw_file_perms;
 allow system_server video_device:dir r_dir_perms;
@@ -338,7 +336,7 @@
 allow system_server rtc_device:chr_file rw_file_perms;
 allow system_server audio_device:dir r_dir_perms;
 
-# write access needed for MIDI
+# write access to ALSA interfaces (/dev/snd/*) needed for MIDI
 allow system_server audio_device:chr_file rw_file_perms;
 
 # tun device used for 3rd party vpn apps