From cd14eb443e18d94f3248da77089155c888d8720e Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Thu, 12 Mar 2015 13:50:48 -0700
Subject: [PATCH] Revert "allow system_server to set kernel scheduling
 priority"

Periodically, SELinux denials of the form:

  type=1400 audit(0.0:8574): avc: denied { setsched } for comm="system_server" scontext=u:r:system_server:s0 tcontext=u:r:kernel:s0 tclass=process permissive=0

are being generated. These denials come from system_server and other
processes. There's no reason why system_server should be calling
sched_setscheduler() on a kernel thread.

Current belief is that these SELinux denials are a bug in the kernel,
and are being inappropriately triggered.

Revert 2d1650f4075db4f4f458de4c1a4cb5869c44b936. The original reason
for accepting this change was to see if it would fix bug 18085992.
Unfortunately, even after the commit, the bug was still present.
The change had no impact on the bug.

Don't inappropriately grant system_server the ability to minipulate
the scheduling priority of kernel threads.

This reverts commit 2d1650f4075db4f4f458de4c1a4cb5869c44b936.

Change-Id: I59bdf26ad247a02b741af2fa58a18e7e83ef44d8
---
 system_server.te | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/system_server.te b/system_server.te
index 66306152e..9079acb11 100644
--- a/system_server.te
+++ b/system_server.te
@@ -75,10 +75,6 @@ allow system_server self:netlink_route_socket nlmsg_write;
 # Kill apps.
 allow system_server appdomain:process { sigkill signal };
 
-# This line seems suspect, as it should not really need to
-# set scheduling parameters for a kernel domain task.
-allow system_server kernel:process setsched;
-
 # Set scheduling info for apps.
 allow system_server appdomain:process { getsched setsched };
 allow system_server mediaserver:process { getsched setsched };
-- 
GitLab