Merge "enable ioctl filtering on other filesystem types"

505bc75e · Treehugger Robot · Gerrit Code Review · 0e791073 · 6695c50d · 505bc75e
Commit 505bc75e authored 6 years ago by Treehugger Robot Committed by Gerrit Code Review 6 years ago
--- a/public/domain.te
+++ b/public/domain.te
@@ -292,8 +292,9 @@ allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
 allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;

 # All domains must clearly enumerate what ioctls they use
-# on plain files and directories
-allowxperm domain { file_type fs_type }:{ dir file } ioctl { 0 };
+# on filesystem objects (plain files, directories, symbolic links,
+# named pipes, and named sockets)
+allowxperm domain { file_type fs_type }:{ dir notdevfile_class_set } ioctl { 0 };

 # Support sqlite F2FS specific optimizations
 # ioctl permission on the specific file type is still required