Revert "Restore system_server ioctl socket access."

The underlying ioctl denial was fixed in device-specific policy. It's not needed in core policy. A search of SELinux denials shows no reported denials, other than the ones showing up on marlin. This reverts commit ec3285cde0. Test: AndroiTS GPS Test app shows GPS data, no SELinux denials. Bug: 32290392 Change-Id: I1ba7bad43a2cdd7cdebbe1c8543a71eee765621d
2016-11-07 16:23:01 -08:00 · 2016-11-07 16:23:01 -08:00 · 863ce3e7c7
commit 863ce3e7c7
parent 47e25deb7a
2 changed files with 2 additions and 2 deletions
--- a/public/domain.te
+++ b/public/domain.te
@ -175,7 +175,7 @@ allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
 ###

 # All socket ioctls must be restricted to a whitelist.
-neverallowxperm { domain -system_server } domain:socket_class_set ioctl { 0 };
+neverallowxperm domain domain:socket_class_set ioctl { 0 };

 # Do not allow any domain other than init or recovery to create unlabeled files.
 neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
--- a/public/system_server.te
+++ b/public/system_server.te
@ -81,7 +81,7 @@ allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl;
 # to the kernel. The ioctl permission is specifically omitted here, but may
 # be added to device specific policy along with the ioctl commands to be
 # whitelisted.
-allow system_server self:socket create_socket_perms;
+allow system_server self:socket create_socket_perms_no_ioctl;

 # Set and get routes directly via netlink.
 allow system_server self:netlink_route_socket nlmsg_write;