Remove the ioctl permission for most socket types. For others, such as
tcp/udp/rawip/unix_dgram/unix_stream set a default unprivileged whitelist
that individual domains may extend (except where neverallowed like
untrusted_app). Enforce via a neverallowxperm rule.
Change-Id: I7573fdb24f9c53ad169bce2aeab1baac8b2a11ea
Move device specific policy to a local device_domain_deprecated attribute
to focus effort on core policy.
Bug: 28760354
Change-Id: Id08cc74a3a2c7b8ff242b3c6f26bd514e6855a48
Addresses denials such as:
avc: denied { dac_override } for comm="thermald" capability=1 scontext=u:r:thermald:s0 tcontext=u:r:thermald:s0 tclass=capability
Also add an auditallow rule to track this permission for further analysis.
We already allow this on hammerhead.
Change-Id: I02b15e9725f42d4c9d9f829982a5a00175160af2
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Also just remove all specific domain access and instead
allow diag_device access for all domains on the
userdebug/user builds.
Change-Id: I2dc79eb47e05290902af2dfd61a361336ebc8bca
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
Bring policy over from the mako board which
has a lot of similar domains and services.
mako is also a Qualcomm board which allows
a lot of that policy to be directly brought
over and applied.
Included in this are some radio specific
pieces. Though not directly applicable to
flo, the deb board inherits this policy.
Change-Id: I6b294c7dc830189c08f1f981a239234a2c3f577f