Merge "enable ioctl filtering on other filesystem types"

2018-10-10 20:17:16 +00:00 · 2018-10-10 20:17:16 +00:00 · 505bc75e6d
commit 505bc75e6d
parent 0e79107309 6695c50dee
1 changed files with 3 additions and 2 deletions
--- a/public/domain.te
+++ b/public/domain.te
@ -292,8 +292,9 @@ allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
 allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;

 # All domains must clearly enumerate what ioctls they use
-# on plain files and directories
-allowxperm domain { file_type fs_type }:{ dir file } ioctl { 0 };
+# on filesystem objects (plain files, directories, symbolic links,
+# named pipes, and named sockets)
+allowxperm domain { file_type fs_type }:{ dir notdevfile_class_set } ioctl { 0 };

 # Support sqlite F2FS specific optimizations
 # ioctl permission on the specific file type is still required