Revert "Restore system_server ioctl socket access."
The underlying ioctl denial was fixed in device-specific policy.
It's not needed in core policy.
A search of SELinux denials shows no reported denials, other than the
ones showing up on marlin.
This reverts commit ec3285cde0
.
Test: AndroiTS GPS Test app shows GPS data, no SELinux denials.
Bug: 32290392
Change-Id: I1ba7bad43a2cdd7cdebbe1c8543a71eee765621d
This commit is contained in:
parent
47e25deb7a
commit
863ce3e7c7
2 changed files with 2 additions and 2 deletions
|
@ -175,7 +175,7 @@ allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
|
|||
###
|
||||
|
||||
# All socket ioctls must be restricted to a whitelist.
|
||||
neverallowxperm { domain -system_server } domain:socket_class_set ioctl { 0 };
|
||||
neverallowxperm domain domain:socket_class_set ioctl { 0 };
|
||||
|
||||
# Do not allow any domain other than init or recovery to create unlabeled files.
|
||||
neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
|
||||
|
|
|
@ -81,7 +81,7 @@ allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl;
|
|||
# to the kernel. The ioctl permission is specifically omitted here, but may
|
||||
# be added to device specific policy along with the ioctl commands to be
|
||||
# whitelisted.
|
||||
allow system_server self:socket create_socket_perms;
|
||||
allow system_server self:socket create_socket_perms_no_ioctl;
|
||||
|
||||
# Set and get routes directly via netlink.
|
||||
allow system_server self:netlink_route_socket nlmsg_write;
|
||||
|
|
Loading…
Reference in a new issue