From bed5a4339ce60024b9d8ff42d3bc28bb9731bf27 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Thu, 8 Sep 2016 15:57:52 -0700
Subject: [PATCH] Revert "system_server, bluetooth: grant access to priv socket
 ioctls"

This reverts commit f19bcfd50fac59724f7b5731557cf086a808d112.

Bug: 31364540
Change-Id: I41d71202fe7d2e67742edd7915a95d37172ba7ea
---
 bluetooth.te     | 2 --
 system_server.te | 4 ++--
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/bluetooth.te b/bluetooth.te
index 2b99c3e92..146c0e511 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -2,8 +2,6 @@
 type bluetooth, domain, domain_deprecated;
 app_domain(bluetooth)
 net_domain(bluetooth)
-# Allow access to net_admin ioctls
-allowxperm bluetooth self:udp_socket ioctl priv_sock_ioctls;
 
 wakelock_use(bluetooth);
 
diff --git a/system_server.te b/system_server.te
index 5ccc05f05..9fbc66a9a 100644
--- a/system_server.te
+++ b/system_server.te
@@ -42,8 +42,8 @@ allow system_server zygote:unix_stream_socket { getopt getattr };
 # system server gets network and bluetooth permissions.
 net_domain(system_server)
 # in addition to ioctls whitelisted for all domains, also allow system_server
-# to use privileged ioctls commands. Needed to set up VPNs.
-allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
+# to use:
+allowxperm system_server self:udp_socket ioctl SIOCSIFFLAGS;
 bluetooth_domain(system_server)
 
 # These are the capabilities assigned by the zygote to the
-- 
GitLab