am cac0b7d6: am c0845036: Remove sys_nice capability from domains.

* commit 'cac0b7d6': Remove sys_nice capability from domains.

am cac0b7d6: am c0845036: Remove sys_nice capability from domains.
48b7e97d · Stephen Smalley · Android Git Automerger · 03566840 · cac0b7d6 · 48b7e97d
Commit 48b7e97d authored Sep 13, 2013 by Stephen Smalley Committed by Android Git Automerger Sep 13, 2013
--- a/domain.te
+++ b/domain.te
@@ -10,9 +10,6 @@ allow domain tmpfs:file { read getattr };
 # Search /storage/emulated tmpfs mount.
 allow domain tmpfs:dir r_dir_perms;
-# binder adjusts the nice value during IPC.
-allow domain self:capability sys_nice;
 # Intra-domain accesses.
 allow domain self:process ~{ execstack execheap ptrace };
 allow domain self:fd use;

--- a/system.te
+++ b/system.te
@@ -8,6 +8,22 @@ permissive system;
 unconfined_domain(system);
 relabelto_domain(system);
+# These are the capabilities assigned by the zygote to the
+# system server.
+allow system self:capability {
+    kill
+    net_admin
+    net_bind_service
+    net_broadcast
+    net_raw
+    sys_boot
+    sys_module
+    sys_nice
+    sys_resource
+    sys_time
+    sys_tty_config
+};
 # Create a socket for receiving info from wpa.
 type_transition system wifi_data_file:sock_file system_wpa_socket;
 allow system self:zygote { specifyids specifyrlimits specifyseinfo };