shell.te: revoke syslog(2) access to shell user

am: c9630dc6a1 Change-Id: I81c7f5b62ad2b057a586148ff6ce4cc7654be98a
2016-11-17 15:33:38 +00:00 · 2016-11-17 15:33:38 +00:00 · 883d1a1893
commit 883d1a1893
parent bbf21a4ffe c9630dc6a1
2 changed files with 1 additions and 7 deletions
--- a/public/app.te
+++ b/public/app.te
@ -425,10 +425,7 @@ neverallow appdomain
    proc:dir_file_class_set write;

 # Access to syslog(2) or /proc/kmsg.
-neverallow { appdomain -system_app }
-    kernel:system { syslog_mod syslog_console };
-neverallow { appdomain -system_app -shell }
-    kernel:system syslog_read;
+neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };

 # Ability to perform any filesystem operation other than statfs(2).
 # i.e. no mount(2), unmount(2), etc.
--- a/public/shell.te
+++ b/public/shell.te
@ -85,9 +85,6 @@ userdebug_or_eng(`
  set_prop(shell, persist_debug_prop)
 ')

-# allow shell to run dmesg
-allow shell kernel:system syslog_read;
-
 # allow shell access to services
 allow shell servicemanager:service_manager list;
 # don't allow shell to access GateKeeper service