Gitiles
Code Review Sign In
LeafOS / LeafOS-Project / android_system_sepolicy / 0d1e52a50f1770bbdcae11f444570a86c3b1eeb1^! / .
commit0d1e52a50f1770bbdcae11f444570a86c3b1eeb1[log] [tgz]
authorJeff Vander Stoep <jeffv@google.com>Mon Apr 02 14:17:59 2018 -0700
committerJeffrey Vander Stoep <jeffv@google.com>Tue Apr 03 13:56:58 2018 +0000
tree824455bb8f581c538cdd0fb87608c0d999fdc03c
parentf22c062c16a28b9cc28acb37cbc84a4f0acb0670 [diff]
Remove deprecated tagSocket() permissions

tagSocket() now results in netd performing these actions on behalf
of the calling process.

Remove direct access to:
/dev/xt_qtaguid
/proc/net/xt_qtaguid/ctrl

Bug: 68774956
Test: -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.AppSecurityTests
    -m CtsNativeNetTestCases
Test: stream youtube, browse chrome
Test: go/manual-ab-ota
Change-Id: I6a044f304c3ec4e7c6043aebeb1ae63c9c5a0beb

diff --git a/private/system_server.te b/private/system_server.te
index 0d9f72c..ee57867 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -122,10 +122,6 @@
 # for dumping stack traces of native processes.
 r_dir_file(system_server, domain)
 
-# Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid.
-allow system_server qtaguid_proc:file rw_file_perms;
-allow system_server qtaguid_device:chr_file rw_file_perms;
-
 # Write /proc/uid_cputime/remove_uid_range.
 allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr };
 

diff --git a/public/mediaserver.te b/public/mediaserver.te
index f0c94ed..b20835a 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te

@@ -60,10 +60,6 @@
 # Grant access to read files on appfuse.
 allow mediaserver app_fuse_file:file { read getattr };
 
-# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
-allow mediaserver qtaguid_proc:file rw_file_perms;
-allow mediaserver qtaguid_device:chr_file r_file_perms;
-
 # Needed on some devices for playing DRM protected content,
 # but seems expected and appropriate for all devices.
 unix_socket_connect(mediaserver, drmserver, drmserver)

diff --git a/public/update_engine.te b/public/update_engine.te
index 6e97aa9..00f70bc 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te

@@ -4,11 +4,6 @@
 
 net_domain(update_engine);
 
-# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid to tag network
-# sockets.
-allow update_engine qtaguid_proc:file rw_file_perms;
-allow update_engine qtaguid_device:chr_file r_file_perms;
-
 # Following permissions are needed for update_engine.
 allow update_engine self:process { setsched };
 allow update_engine self:global_capability_class_set { fowner sys_admin };