From 5a14bb9192eb373d369b33e9508c289460d466cd Mon Sep 17 00:00:00 2001
From: Ecco Park <eccopark@google.com>
Date: Wed, 22 Mar 2017 11:56:11 -0700
Subject: [PATCH] selinux : remove net_admin and root user/group

1) remove net_admin in cnss_diag.te and cnss-daemon.te

2) change the root user/group to system user/group of cnss_diag

Bug: 35326998
Bug: 32775496
Bug: 28340421

Change-Id: I2efd45395c9dcd32ae1075cbbb50aa205750f038
Signed-off-by: Ecco Park <eccopark@google.com>
---
 init.common.diag.rc.userdebug | 4 ++--
 init.common.rc                | 6 +++---
 sepolicy/cnss-daemon.te       | 4 ----
 sepolicy/cnss_diag.te         | 5 -----
 4 files changed, 5 insertions(+), 14 deletions(-)

diff --git a/init.common.diag.rc.userdebug b/init.common.diag.rc.userdebug
index 5e4d9d911..9d96659ae 100644
--- a/init.common.diag.rc.userdebug
+++ b/init.common.diag.rc.userdebug
@@ -107,8 +107,8 @@ on property:persist.sys.cnss.diag_txt=false
 
 service cnss_diag_txt /system/bin/cnss_diag -s -f -m /data/cnss_diag/cnss_diag.conf
     class late_start
-    user root
-    group root
+    user system
+    group system
     disabled
     oneshot
 
diff --git a/init.common.rc b/init.common.rc
index 5d1d72dfd..4c9a34cc5 100644
--- a/init.common.rc
+++ b/init.common.rc
@@ -664,14 +664,14 @@ service wpa_supplicant /vendor/bin/hw/wpa_supplicant \
 
 service cnss_diag /system/bin/cnss_diag -q
     class late_start
-    user root
-    group root
+    user system
+    group system
     oneshot
 
 service cnss-daemon /system/bin/cnss-daemon -n -l
     class late_start
     user system
-    group system inet net_admin wifi
+    group system inet wifi
 
 service loc_launcher /system/bin/loc_launcher
     #loc_launcher will start as root and set its uid to gps
diff --git a/sepolicy/cnss-daemon.te b/sepolicy/cnss-daemon.te
index adb20aadb..935c71470 100644
--- a/sepolicy/cnss-daemon.te
+++ b/sepolicy/cnss-daemon.te
@@ -2,13 +2,9 @@
 type cnss-daemon, domain;
 type cnss-daemon_exec, exec_type, file_type;
 
-# STOPSHIP b/28340421
-# Temporarily grant this permission and log its use.
 allow cnss-daemon self:capability {
-    net_admin
     net_bind_service
 };
-auditallow cnss-daemon self:capability net_admin;
 
 init_daemon_domain(cnss-daemon)
 
diff --git a/sepolicy/cnss_diag.te b/sepolicy/cnss_diag.te
index 8d74ff6ca..089013df1 100644
--- a/sepolicy/cnss_diag.te
+++ b/sepolicy/cnss_diag.te
@@ -2,11 +2,6 @@
 type cnss_diag, domain;
 type cnss_diag_exec, exec_type, file_type;
 
-# STOPSHIP b/28340421
-# Temporarily grant this permission and log its use.
-allow cnss_diag self:capability net_admin;
-auditallow cnss_diag self:capability net_admin;
-
 init_daemon_domain(cnss_diag)
 
 allow cnss_diag self:capability { setgid setuid };