From ae48ecbde9e9e0cc69d5d89f895d96e08ab813a4 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Sat, 7 Oct 2017 16:03:59 +0000
Subject: [PATCH] Revert "Ensure /sys restrictions for isolated_apps"
Bullhead and dragon are broken. Revert until I can fix
those builds.
Dragon:
libsepol.report_failure: neverallow on line 113 of system/sepolicy/private/isolated_app.te (or line 26264 of policy.conf) violated by allow isolated_app sysfs_socinfo:file { ioctl read lock open };
Bullhead:
libsepol.report_failure: neverallow on line 113 of system/sepolicy/private/isolated_app.te (or line 26283 of policy.conf) violated by allow isolated_app sysfs_power_management:file { ioctl read lock open };
libsepol.report_failure: neverallow on line 113 of system/sepolicy/private/isolated_app.te (or line 26283 of policy.conf) violated by allow isolated_app sysfs_socinfo:file { ioctl read lock open };
libsepol.report_failure: neverallow on line 113 of system/sepolicy/private/isolated_app.te (or line 26283 of policy.conf) violated by allow isolated_app sysfs_thermal:file { ioctl read lock open };
libsepol.check_assertions: 3 neverallow failures occurred
This reverts commit 579366a0baf589554a8b7d1e40ad1f5512cc5c0b.
Change-Id: I1ea4824e226c06628769898299f2e322060d0d06
Test: policy compiles.
---
private/isolated_app.te | 8 --------
1 file changed, 8 deletions(-)
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 30253af60..951a0df25 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -103,11 +103,3 @@ neverallow isolated_app { usb_device usbaccessory_device }:chr_file *;
# Restrict the webview_zygote control socket.
neverallow isolated_app webview_zygote_socket:sock_file write;
-
-# Limit the /sys files which isolated_app can access. This is important
-# for controlling isolated_app attack surface.
-neverallow isolated_app {
- sysfs_type
- -sysfs_devices_system_cpu
- -sysfs_usb # TODO: check with audio team if needed for isolated_app (b/28417852)
-}:file no_rw_file_perms;
--
GitLab