Revert "Restore system_server ioctl socket access." am: 58305da9

am: b2245d64 Change-Id: Ib8ab9ee9051d405801857d30df0a37c43a24928e

Revert "Restore system_server ioctl socket access." am: 58305da9
f4c76c5f · Nick Kralevich · android-build-merger · ff6715f3 · b2245d64 · f4c76c5f
Commit f4c76c5f authored 8 years ago by Nick Kralevich Committed by android-build-merger 8 years ago
--- a/public/domain.te
+++ b/public/domain.te
@@ -177,7 +177,7 @@ allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
 ###
 # All socket ioctls must be restricted to a whitelist.
-neverallowxperm { domain -system_server } domain:socket_class_set ioctl { 0 };
+neverallowxperm domain domain:socket_class_set ioctl { 0 };
 # Do not allow any domain other than init or recovery to create unlabeled files.
 neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;

--- a/public/system_server.te
+++ b/public/system_server.te
@@ -81,7 +81,7 @@ allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl;
 # to the kernel. The ioctl permission is specifically omitted here, but may
 # be added to device specific policy along with the ioctl commands to be
 # whitelisted.
-allow system_server self:socket create_socket_perms;
+allow system_server self:socket create_socket_perms_no_ioctl;
 # Set and get routes directly via netlink.
 allow system_server self:netlink_route_socket nlmsg_write;