From 89765083f7da758ff5a5910027ea48ce065fe2fd Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Wed, 29 Jul 2015 14:52:41 -0700
Subject: [PATCH] Temporarily downgrade to policy version number

Temporarily move from policy version 30 to 29 until device kernels
and prebuilts are all upgraded to the accepted upstream version of
the selinux ioctl command whitelisting code.

Bug: 22846070

Change-Id: I31d1e80aaee164cf41a2f01c6ca846a000898ef4
---
 Android.mk       | 2 +-
 isolated_app.te  | 3 ---
 untrusted_app.te | 3 ---
 3 files changed, 1 insertion(+), 7 deletions(-)

diff --git a/Android.mk b/Android.mk
index 33337a6f9..8c4237071 100644
--- a/Android.mk
+++ b/Android.mk
@@ -5,7 +5,7 @@ include $(CLEAR_VARS)
 # SELinux policy version.
 # Must be <= /sys/fs/selinux/policyvers reported by the Android kernel.
 # Must be within the compatibility range reported by checkpolicy -V.
-POLICYVERS ?= 30
+POLICYVERS ?= 29
 
 MLS_SENS=1
 MLS_CATS=1024
diff --git a/isolated_app.te b/isolated_app.te
index 330f0af38..ef6898682 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -18,9 +18,6 @@ allow isolated_app app_data_file:file { read write getattr lock };
 allow isolated_app activity_service:service_manager find;
 allow isolated_app display_service:service_manager find;
 
-# only allow unprivileged socket ioctl commands
-allow isolated_app self:{ rawip_socket tcp_socket udp_socket } unpriv_sock_ioctls;
-
 #####
 ##### Neverallow
 #####
diff --git a/untrusted_app.te b/untrusted_app.te
index eb518e32c..d5c78e9f1 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -97,9 +97,6 @@ allow untrusted_app persistent_data_block_service:service_manager find;
 allow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
 allow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
 
-# only allow unprivileged socket ioctl commands
-allow untrusted_app self:{ rawip_socket tcp_socket udp_socket } unpriv_sock_ioctls;
-
 # Allow GMS core to access perfprofd output, which is stored
 # in /data/misc/perfprofd/. GMS core will need to list all
 # data stored in that directory to process them one by one.
-- 
GitLab