From c0845036cc8c494adf0adf24c9d93a23f59566f7 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Thu, 2 May 2013 15:48:20 -0400
Subject: [PATCH] Remove sys_nice capability from domains.

Remove sys_nice capability from domains; this does not appear to be necessary
and should not be possible in particular for app domains.  If we encounter
specific instances where it should be granted, we can add it back on a
per-domain basis.  Allow it explicitly for the system_server.  Unconfined
domains get it via unconfined_domain() and the rules in unconfined.te.

Change-Id: I9669db80a04a90a22241b2fbc5236a28dcde8c6e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 domain.te |  3 ---
 system.te | 16 ++++++++++++++++
 2 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/domain.te b/domain.te
index 3db35d7c5..215c1a3cf 100644
--- a/domain.te
+++ b/domain.te
@@ -10,9 +10,6 @@ allow domain tmpfs:file { read getattr };
 # Search /storage/emulated tmpfs mount.
 allow domain tmpfs:dir r_dir_perms;
 
-# binder adjusts the nice value during IPC.
-allow domain self:capability sys_nice;
-
 # Intra-domain accesses.
 allow domain self:process ~{ execstack execheap ptrace };
 allow domain self:fd use;
diff --git a/system.te b/system.te
index b096b68b8..3dda4b4bd 100644
--- a/system.te
+++ b/system.te
@@ -8,6 +8,22 @@ permissive system;
 unconfined_domain(system);
 relabelto_domain(system);
 
+# These are the capabilities assigned by the zygote to the
+# system server.
+allow system self:capability {
+    kill
+    net_admin
+    net_bind_service
+    net_broadcast
+    net_raw
+    sys_boot
+    sys_module
+    sys_nice
+    sys_resource
+    sys_time
+    sys_tty_config
+};
+
 # Create a socket for receiving info from wpa.
 type_transition system wifi_data_file:sock_file system_wpa_socket;
 allow system self:zygote { specifyids specifyrlimits specifyseinfo };
-- 
GitLab