Remove sys_nice capability from domains.

Remove sys_nice capability from domains; this does not appear to be necessary and should not be possible in particular for app domains. If we encounter specific instances where it should be granted, we can add it back on a per-domain basis. Allow it explicitly for the system_server. Unconfined domains get it via unconfined_domain() and the rules in unconfined.te. Change-Id: I9669db80a04a90a22241b2fbc5236a28dcde8c6e Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-05-02 15:48:20 -04:00 · 2013-05-02 15:48:20 -04:00 · c0845036cc
commit c0845036cc
parent d1f448d4a5
2 changed files with 16 additions and 3 deletions
--- a/domain.te
+++ b/domain.te
@ -10,9 +10,6 @@ allow domain tmpfs:file { read getattr };
 # Search /storage/emulated tmpfs mount.
 allow domain tmpfs:dir r_dir_perms;

-# binder adjusts the nice value during IPC.
-allow domain self:capability sys_nice;
-
 # Intra-domain accesses.
 allow domain self:process ~{ execstack execheap ptrace };
 allow domain self:fd use;
--- a/system.te
+++ b/system.te
@ -8,6 +8,22 @@ permissive system;
 unconfined_domain(system);
 relabelto_domain(system);

+# These are the capabilities assigned by the zygote to the
+# system server.
+allow system self:capability {
+    kill
+    net_admin
+    net_bind_service
+    net_broadcast
+    net_raw
+    sys_boot
+    sys_module
+    sys_nice
+    sys_resource
+    sys_time
+    sys_tty_config
+};
+
 # Create a socket for receiving info from wpa.
 type_transition system wifi_data_file:sock_file system_wpa_socket;
 allow system self:zygote { specifyids specifyrlimits specifyseinfo };