Merge "Sepolicy: Comment out neverallow violations"

legacy/vendor/common/clatd.te

@@ -25,4 +25,4 @@
 #OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
 #IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-allow clatd clatd:packet_socket map;
+#allow clatd clatd:packet_socket map;

legacy/vendor/common/dtseagleservice.te

@@ -42,7 +42,7 @@ binder_call(dtseagleservice, system_app)
 #binder_service(dtseagleservice)
 
 #Allow dtseagleservice to be registered with service manager
-allow dtseagleservice dtseagleservice_service:service_manager add;
+#allow dtseagleservice dtseagleservice_service:service_manager add;
 
 #Allow access to audio drivers
 allow dtseagleservice audio_device:dir r_dir_perms;

legacy/vendor/common/fidodaemon.te

@@ -42,7 +42,7 @@ binder_call(fidodaemon, system_app)
 #binder_service(fidodaemon)
 
 #Allow fidodaemon to be registered with service manager
-allow fidodaemon fidodaemon_service:service_manager add;
+#allow fidodaemon fidodaemon_service:service_manager add;
 
 #Allow communication with init over property server
 unix_socket_connect(fidodaemon, property, init);

legacy/vendor/common/init_shell.te

@@ -87,7 +87,7 @@ set_prop(qti_init_shell, vendor_ipacm_prop)
 set_prop(qti_init_shell, vendor_ipacm-diag_prop)
 set_prop(qti_init_shell, vendor_dataqti_prop)
 set_prop(qti_init_shell, vendor_dataadpl_prop)
-set_prop(qti_init_shell, ctl_rildaemon_prop)
+#set_prop(qti_init_shell, ctl_rildaemon_prop)
 set_prop(qti_init_shell, ctl_qcrild_prop)
 set_prop(qti_init_shell, ctl_vendor_rild_prop)
 set_prop(qti_init_shell, ctl_vendor_qmuxd_prop)
@@ -104,7 +104,7 @@ set_prop(qti_init_shell, vendor_audio_prop)
 set_prop(qti_init_shell, vendor_video_prop)
 userdebug_or_eng(`
 # Needed for starting console in userdebug mode
-set_prop(qti_init_shell, ctl_console_prop)
+#set_prop(qti_init_shell, ctl_console_prop)
 set_prop(qti_init_shell, vendor_coresight_prop)
 set_prop(qti_init_shell, vendor_audio_debug_prop)
 ')

legacy/vendor/common/location_app.te

@@ -55,4 +55,4 @@ allowxperm vendor_location_app self:socket ioctl msm_sock_ipc_ioctls;
 allow vendor_location_app self:qipcrtr_socket create_socket_perms_no_ioctl;
 allow vendor_location_app sysfs_data:file r_file_perms;
 unix_socket_connect(vendor_location_app, vendor_dpmtcm, vendor_dpmd)
-allow location_app sysfs_kgsl_gpu_model:file r_file_perms;
+#allow location_app sysfs_kgsl_gpu_model:file r_file_perms;

legacy/vendor/common/perfdump_app.te

@@ -56,7 +56,7 @@ allow perfdump_app mediaserver_service:service_manager find;
 binder_call(perfdump_app, system_server)
 
 # dumpstate
-set_prop(perfdump_app, ctl_dumpstate_prop)
+#set_prop(perfdump_app, ctl_dumpstate_prop)
 unix_socket_connect(perfdump_app, dumpstate, dumpstate)
 
 dontaudit perfdump_app service_manager_type:service_manager *;

legacy/vendor/common/qti_logkit_app.te

@@ -70,7 +70,7 @@ allow qti_logkit_app qti_logkit_pub_data_file:file create_file_perms;
 allow qti_logkit_app wcnss_service_exec:file rx_file_perms;
 
 # bugreport
-allow qti_logkit_app ctl_dumpstate_prop:property_service set;
+#allow qti_logkit_app ctl_dumpstate_prop:property_service set;
 unix_socket_connect(qti_logkit_app, dumpstate, dumpstate)
 
 # ANR

legacy/vendor/common/radio.te

@@ -28,7 +28,7 @@
 # IMS needs permission to use avtimer
 allow radio avtimer_device:chr_file r_file_perms;
 
-allow radio { cameraserver_service mediaextractor_service mediacodec_service }:service_manager find;
+#allow radio { cameraserver_service mediaextractor_service mediacodec_service }:service_manager find;
 #diag
 userdebug_or_eng(`
     diag_use(radio)

legacy/vendor/common/secotad.te

@@ -42,10 +42,10 @@ binder_call(secotad, system_app)
 #binder_service(secotad)
 
 #Allow secotad to be registered with service manager
-allow secotad secotad_service:service_manager add;
+#allow secotad secotad_service:service_manager add;
 
 #Allow access to tee device
 allow secotad tee_device:chr_file rw_file_perms;
 
 #Allow access to firmware
-r_dir_file(secotad, firmware_file)
+r_dir_file(secotad, firmware_file)

legacy/vendor/common/seemp_health_daemon.te

@@ -42,7 +42,7 @@ binder_call(seemp_health_daemon, system_app)
 #binder_service(seemp_health_daemon)
 
 #Allow seemp_health_daemon to be registered with service manager
-allow seemp_health_daemon seemp_health_daemon_service:service_manager add;
+#allow seemp_health_daemon seemp_health_daemon_service:service_manager add;
 
 #Allow access to tee device
 allow seemp_health_daemon tee_device:chr_file rw_file_perms;

legacy/vendor/common/system_app.te

@@ -109,7 +109,7 @@ allow system_app qti_logkit_priv_socket:dir r_dir_perms;
 #allow system_app qti_logkit_priv_socket:sock_file r_file_perms;
 
 # bugreport
-allow system_app ctl_dumpstate_prop:property_service set;
+#allow system_app ctl_dumpstate_prop:property_service set;
 unix_socket_connect(system_app, dumpstate, dumpstate)
 
 # allow gba auth service to add itself as system service

legacy/vendor/test/fidotest.te

@@ -42,7 +42,7 @@ userdebug_or_eng(`
   #binder_service(fidotest)
 
   #Allow fido test daemons to be registered with service manager
-  allow fidotest fidotest_service:service_manager add;
+  #allow fidotest fidotest_service:service_manager add;
 
   # Allow communication with init over property server
   unix_socket_connect(fidotest, property, init);

legacy/vendor/test/qseeproxysample.te

@@ -40,7 +40,7 @@ userdebug_or_eng(`
   #binder_service(qseeproxysample)
 
   #Allow test daemon to be registered with service manager
-  allow qseeproxysample qseeproxysample_service:service_manager add;
+  #allow qseeproxysample qseeproxysample_service:service_manager add;
 
   #Allow test daemon to use system_server via binder to check caller identity
   binder_call(qseeproxysample, system_server)

legacy/vendor/test/seapp_contexts

@@ -25,10 +25,10 @@
 # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
 # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-user=_app seinfo=platform name=com.qualcomm.qct.dlt levelfrom=all domain=location_app type=app_data_file
-user=_app seinfo=platform name=com.qualcomm.qti.qlogcat levelfrom=all domain=location_app type=app_data_file
-user=_app seinfo=platform name=com.qualcomm.qti.pdrtesttool levelfrom=all domain=location_app type=app_data_file
-user=_app seinfo=platform name=com.qualcomm.qti.magcaltool levelfrom=all domain=location_app type=app_data_file
+#user=_app seinfo=platform name=com.qualcomm.qct.dlt levelfrom=all domain=location_app type=app_data_file
+#user=_app seinfo=platform name=com.qualcomm.qti.qlogcat levelfrom=all domain=location_app type=app_data_file
+#user=_app seinfo=platform name=com.qualcomm.qti.pdrtesttool levelfrom=all domain=location_app type=app_data_file
+#user=_app seinfo=platform name=com.qualcomm.qti.magcaltool levelfrom=all domain=location_app type=app_data_file
 
 #Add new domain for QSEE sample services
 user=system seinfo=platform name=com.qualcomm.qti.auth.securesampleauthservice domain=qsee_svc_app type=system_app_data_file

legacy/vendor/test/ustaservice_app.te

@@ -27,7 +27,7 @@
 type ustaservice_app, domain;
 app_domain(ustaservice_app)
 
-allow ustaservice_app vendor_usta_app_service:service_manager add;
+#allow ustaservice_app vendor_usta_app_service:service_manager add;
 allow ustaservice_app vendor_usta_app_service:service_manager find;
 allow ustaservice_app activity_service:service_manager find;
 allow ustaservice_app app_api_service:service_manager find;