From 0fc831c3b0b8d9a4e10d0931131a0eed06cd4275 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Wed, 29 Jul 2015 14:52:41 -0700
Subject: [PATCH] Temporarily downgrade to policy version number

Temporarily move from policy version 30 to 29 until device kernels
and prebuilts are all upgraded to the accepted upstream version of
the selinux ioctl command whitelisting code.

(cherry picked from commit 89765083f7da758ff5a5910027ea48ce065fe2fd)

Bug: 22846070

Change-Id: I31d1e80aaee164cf41a2f01c6ca846a000898ef4
---
 Android.mk       | 2 +-
 isolated_app.te  | 3 ---
 untrusted_app.te | 3 ---
 3 files changed, 1 insertion(+), 7 deletions(-)

diff --git a/Android.mk b/Android.mk
index 91d630301..102b2b188 100644
--- a/Android.mk
+++ b/Android.mk
@@ -5,7 +5,7 @@ include $(CLEAR_VARS)
 # SELinux policy version.
 # Must be <= /sys/fs/selinux/policyvers reported by the Android kernel.
 # Must be within the compatibility range reported by checkpolicy -V.
-POLICYVERS ?= 30
+POLICYVERS ?= 29
 
 MLS_SENS=1
 MLS_CATS=1024
diff --git a/isolated_app.te b/isolated_app.te
index 0fab85e10..f40527316 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -18,9 +18,6 @@ allow isolated_app app_data_file:file { read write getattr lock };
 allow isolated_app activity_service:service_manager find;
 allow isolated_app display_service:service_manager find;
 
-# only allow unprivileged socket ioctl commands
-allow isolated_app self:{ rawip_socket tcp_socket udp_socket } unpriv_sock_ioctls;
-
 # Google Breakpad (crash reporter for Chrome) relies on ptrace
 # functionality. Without the ability to ptrace, the crash reporter
 # tool is broken.
diff --git a/untrusted_app.te b/untrusted_app.te
index ecf85a22d..e68c57013 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -77,9 +77,6 @@ allow untrusted_app radio_service:service_manager find;
 allow untrusted_app surfaceflinger_service:service_manager find;
 allow untrusted_app app_api_service:service_manager find;
 
-# only allow unprivileged socket ioctl commands
-allow untrusted_app self:{ rawip_socket tcp_socket udp_socket } unpriv_sock_ioctls;
-
 # Allow GMS core to access perfprofd output, which is stored
 # in /data/misc/perfprofd/. GMS core will need to list all
 # data stored in that directory to process them one by one.
-- 
GitLab