From 6c451da4ec15f234eb591d638d4b501213af5b5a Mon Sep 17 00:00:00 2001
From: dcashman <dcashman@google.com>
Date: Tue, 22 Sep 2015 13:03:41 -0700
Subject: [PATCH] Remove mediaserver sysfs write permissions.

Mediaserver no longer appears, and maybe never did, need write
permission to sysfs files.
commit: 1de9c492d1343f7c92b4a7d6aa8da82c97bbf7d8 added auditing to
make sure this is the case, and such access has not been observed.
Remove the permissions and the associated auditallow rule to further
confine the mediaserver sandbox.

Bug: 22827371
Change-Id: I44ca1521b9791db027300aa84e54c074845aa735
---
 mediaserver.te | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/mediaserver.te b/mediaserver.te
index 65438ba89..d335ae802 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -35,8 +35,7 @@ set_prop(mediaserver, audio_prop)
 allow mediaserver audio_device:chr_file rw_file_perms;
 
 # XXX Label with a specific type?
-allow mediaserver sysfs:file rw_file_perms;
-auditallow mediaserver sysfs:file { write append };
+allow mediaserver sysfs:file r_file_perms;
 
 # Read resources from open apk files passed over Binder.
 allow mediaserver apk_data_file:file { read getattr };
-- 
GitLab