commit 5ca5696e8b656466a9d46b13d7ab18a13d8c1bba
author Jeffrey Vander Stoep <jeffv@google.com> Tue Dec 08 18:15:14 2015 +0000
committer Jeffrey Vander Stoep <jeffv@google.com> Tue Dec 08 18:19:04 2015 +0000
tree 4c99d68ca5d6f3dec443cd98a589f887f402c7f4
parent 7a0b8efe97c0e54356de42682b1fc8ab57e92cac

Revert "Migrate to upstream policy version 30"

This reverts commit 2ea23a6e1ade883ba81f58b364109c4da94ba584.

Change-Id: I5e9efa56d74ab22030611cab515e050e0bb77aca

Android.mk

diff --git a/Android.mk b/Android.mk
index 91d6303..102b2b1 100644
--- a/Android.mk
+++ b/Android.mk
@@ -5,7 +5,7 @@
 # SELinux policy version.
 # Must be <= /sys/fs/selinux/policyvers reported by the Android kernel.
 # Must be within the compatibility range reported by checkpolicy -V.
-POLICYVERS ?= 30
+POLICYVERS ?= 29
 
 MLS_SENS=1
 MLS_CATS=1024

ioctl_macros

diff --git a/ioctl_macros b/ioctl_macros
index c1af6b4..e71e0ce 100644
--- a/ioctl_macros
+++ b/ioctl_macros
@@ -5,16 +5,7 @@
 0x8900-0x8926 0x8928-0x89ff
 # all wireless extensions ioctls except get/set essid
 # IOCSIWESSID 0x8B1A SIOCGIWESSID 0x8B1B
-0x8B00-0x8B19 0x8B1C-0x8BFF
+0x8B00-0x8B09 0x8B1C-0x8BFF
 # commonly used TTY ioctls
 0x5411 0x5451
 }')
-
-# socket ioctls never allowed to unprivileged appss
-define(`priv_sock_ioctls', `
-{
-# Mac address SIOCGIFHWADDR
-0x8927
-# get/set essid IOCSIWESSID 0x8B1A SIOCGIWESSID 0x8B1B
-0x8B1A-0x8B1B
-}')

isolated_app.te

diff --git a/isolated_app.te b/isolated_app.te
index 1e40a7f..2cf5578 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -18,9 +18,6 @@
 allow isolated_app activity_service:service_manager find;
 allow isolated_app display_service:service_manager find;
 
-# only allow unprivileged socket ioctl commands
-allowxperm isolated_app self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls;
-
 # Google Breakpad (crash reporter for Chrome) relies on ptrace
 # functionality. Without the ability to ptrace, the crash reporter
 # tool is broken.
@@ -50,7 +47,3 @@
 # Do not allow isolated_app access to /cache
 neverallow isolated_app cache_file:dir ~{ r_dir_perms };
 neverallow isolated_app cache_file:file ~{ read getattr };
-
-# do not allow privileged socket ioctl commands
-neverallowxperm isolated_app self:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
-

untrusted_app.te

diff --git a/untrusted_app.te b/untrusted_app.te
index 889658d..9d80bd8 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -85,9 +85,6 @@
 allow untrusted_app surfaceflinger_service:service_manager find;
 allow untrusted_app app_api_service:service_manager find;
 
-# only allow unprivileged socket ioctl commands
-allowxperm untrusted_app self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_ioctls;
-
 # Allow GMS core to access perfprofd output, which is stored
 # in /data/misc/perfprofd/. GMS core will need to list all
 # data stored in that directory to process them one by one.
@@ -149,9 +146,6 @@
 # Do not allow untrusted_app to access network MAC address file
 neverallow untrusted_app sysfs_mac_address:file no_rw_file_perms;
 
-# do not allow privileged socket ioctl commands
-neverallowxperm untrusted_app self:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
-
 # Do not allow untrusted_app access to /cache
 neverallow untrusted_app cache_file:dir ~{ r_dir_perms };
 neverallow untrusted_app cache_file:file ~{ read getattr };