From 863ce3e7c73aa3130eb8e14dd1b5a6ed22f0bae6 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Mon, 7 Nov 2016 16:23:01 -0800
Subject: [PATCH] Revert "Restore system_server ioctl socket access."

The underlying ioctl denial was fixed in device-specific policy.
It's not needed in core policy.

A search of SELinux denials shows no reported denials, other than the
ones showing up on marlin.

This reverts commit ec3285cde08a7ecb8de1beae7a2ec6ddf1efe5ba.

Test: AndroiTS GPS Test app shows GPS data, no SELinux denials.
Bug: 32290392
Change-Id: I1ba7bad43a2cdd7cdebbe1c8543a71eee765621d
---
 public/domain.te        | 2 +-
 public/system_server.te | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/public/domain.te b/public/domain.te
index 68e81ed7d..bbf4d687c 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -175,7 +175,7 @@ allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
 ###
 
 # All socket ioctls must be restricted to a whitelist.
-neverallowxperm { domain -system_server } domain:socket_class_set ioctl { 0 };
+neverallowxperm domain domain:socket_class_set ioctl { 0 };
 
 # Do not allow any domain other than init or recovery to create unlabeled files.
 neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
diff --git a/public/system_server.te b/public/system_server.te
index 924a6d308..9c075fbe1 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -81,7 +81,7 @@ allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl;
 # to the kernel. The ioctl permission is specifically omitted here, but may
 # be added to device specific policy along with the ioctl commands to be
 # whitelisted.
-allow system_server self:socket create_socket_perms;
+allow system_server self:socket create_socket_perms_no_ioctl;
 
 # Set and get routes directly via netlink.
 allow system_server self:netlink_route_socket nlmsg_write;
-- 
GitLab