From a8d89c31025caa594dae28d528f8a97cfbc3cc79 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Tue, 5 Jan 2016 09:36:12 -0800
Subject: [PATCH] expand scope of priv_sock_ioctls neverallows
From self to domain
Change-Id: I97aeea67a6b66bc307715a050cf7699e5be9715e
---
isolated_app.te | 2 +-
shell.te | 2 +-
untrusted_app.te | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/isolated_app.te b/isolated_app.te
index 1e40a7f57..c155b12b7 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -52,5 +52,5 @@ neverallow isolated_app cache_file:dir ~{ r_dir_perms };
neverallow isolated_app cache_file:file ~{ read getattr };
# do not allow privileged socket ioctl commands
-neverallowxperm isolated_app self:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+neverallowxperm isolated_app domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/shell.te b/shell.te
index 46656c293..28e713889 100644
--- a/shell.te
+++ b/shell.te
@@ -138,4 +138,4 @@ allowxperm shell self:{ rawip_socket tcp_socket udp_socket } ioctl unpriv_sock_i
neverallow shell file_type:file link;
# Do not allow privileged socket ioctl commands
-neverallowxperm shell self:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+neverallowxperm shell domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/untrusted_app.te b/untrusted_app.te
index 9e418731c..bb5477371 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -152,7 +152,7 @@ neverallow untrusted_app file_type:file link;
neverallow untrusted_app sysfs_mac_address:file no_rw_file_perms;
# do not allow privileged socket ioctl commands
-neverallowxperm untrusted_app self:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+neverallowxperm untrusted_app domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
# Do not allow untrusted_app access to /cache
neverallow untrusted_app { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
--
GitLab