msm8976-common: sepolicy: Sync timekeep rules with SODP

2018-01-10 22:17:01 +01:00 · 2018-01-10 22:17:01 +01:00 · 2ff56657dd
parent ee0365443e
commit 2ff56657dd
2 changed files with 3 additions and 9 deletions
--- a/sepolicy/system_app.te
+++ b/sepolicy/system_app.te
@ -1,6 +1,6 @@
 allow system_app sysfs_mdnie:file rw_file_perms;

+# TimeKeep Java service
 allow system_app time_data_file:dir search;
 allow system_app time_data_file:file rw_file_perms;
-
 set_prop(system_app, timekeep_prop)
--- a/sepolicy/timekeep.te
+++ b/sepolicy/timekeep.te
@ -1,16 +1,10 @@
 type timekeep, domain;
 type timekeep_exec, exec_type, vendor_file_type, file_type;

-# Started by init
 init_daemon_domain(timekeep)

-allow timekeep self:capability {
-    fowner
-    fsetid
-    sys_time
-    dac_override
-    dac_read_search
-};
+# Grant permission to set system time and to set the real-time lock
+allow timekeep self:capability { fowner sys_time };

 allow timekeep time_data_file:file create_file_perms;
 allow timekeep time_data_file:dir create_dir_perms;