From 23ea15a12a5e253241d85f57568bec709e85f98f Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Thu, 5 Oct 2017 14:46:10 -0700
Subject: [PATCH] sepolicy: domain: remove world access to /dev/diag

This driver is not safe for general use, particularly for third party
apps, even on debug builds.

Adding OWNERS file in a subsequent commit to prevent security violations
like this from getting checked in.

Test: build
Change-Id: I245244e924ae247b6fbd48aa033bb71cca6067de
---
 sepolicy/vendor/domain.te | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/sepolicy/vendor/domain.te b/sepolicy/vendor/domain.te
index fdbac32c..eedf87fd 100644
--- a/sepolicy/vendor/domain.te
+++ b/sepolicy/vendor/domain.te
@@ -1,7 +1,3 @@
-userdebug_or_eng(`
-  allow domain diag_device:chr_file rw_file_perms;
-')
-
 # In order for /sys/kernel/debug/kgsl/proc/<pid>/mem
 # to be created for memory tracking, the domain of
 # the tracked process must have permission to search