From 0d1e52a50f1770bbdcae11f444570a86c3b1eeb1 Mon Sep 17 00:00:00 2001 From: Jeff Vander Stoep Date: Mon, 2 Apr 2018 14:17:59 -0700 Subject: [PATCH] Remove deprecated tagSocket() permissions tagSocket() now results in netd performing these actions on behalf of the calling process. Remove direct access to: /dev/xt_qtaguid /proc/net/xt_qtaguid/ctrl Bug: 68774956 Test: -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.AppSecurityTests -m CtsNativeNetTestCases Test: stream youtube, browse chrome Test: go/manual-ab-ota Change-Id: I6a044f304c3ec4e7c6043aebeb1ae63c9c5a0beb --- private/system_server.te | 4 ---- public/mediaserver.te | 4 ---- public/update_engine.te | 5 ----- 3 files changed, 13 deletions(-) diff --git a/private/system_server.te b/private/system_server.te index 0d9f72c17..ee5786700 100644 --- a/private/system_server.te +++ b/private/system_server.te @@ -122,10 +122,6 @@ allow system_server hal_audio_server:file w_file_perms; # for dumping stack traces of native processes. r_dir_file(system_server, domain) -# Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid. -allow system_server qtaguid_proc:file rw_file_perms; -allow system_server qtaguid_device:chr_file rw_file_perms; - # Write /proc/uid_cputime/remove_uid_range. allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr }; diff --git a/public/mediaserver.te b/public/mediaserver.te index f0c94edc0..b20835a25 100644 --- a/public/mediaserver.te +++ b/public/mediaserver.te @@ -60,10 +60,6 @@ r_dir_file(mediaserver, media_rw_data_file) # Grant access to read files on appfuse. allow mediaserver app_fuse_file:file { read getattr }; -# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid -allow mediaserver qtaguid_proc:file rw_file_perms; -allow mediaserver qtaguid_device:chr_file r_file_perms; - # Needed on some devices for playing DRM protected content, # but seems expected and appropriate for all devices. unix_socket_connect(mediaserver, drmserver, drmserver) diff --git a/public/update_engine.te b/public/update_engine.te index 6e97aa919..00f70bc4a 100644 --- a/public/update_engine.te +++ b/public/update_engine.te @@ -4,11 +4,6 @@ type update_engine_exec, exec_type, file_type; net_domain(update_engine); -# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid to tag network -# sockets. -allow update_engine qtaguid_proc:file rw_file_perms; -allow update_engine qtaguid_device:chr_file r_file_perms; - # Following permissions are needed for update_engine. allow update_engine self:process { setsched }; allow update_engine self:global_capability_class_set { fowner sys_admin };