Revert "Restrict SDK sandbox unix_stream_socket connections"
This reverts commit d226ac41e2e6ebd67f5ea98b0e224bc928de98bb.
Reason for revert: DroidMonitor identified candidate
Change-Id: Id961f81208fa18e76ae59855de9edc7b91a4201b
diff --git a/private/app.te b/private/app.te
index 07e0be0..b0b5dbb 100644
--- a/private/app.te
+++ b/private/app.te
@@ -407,13 +407,7 @@
# hence no sock_file or connectto permission. This appears to be how
# Chrome works, may need to be updated as more apps using isolated services
# are examined.
-allow {
- appdomain
- -sdk_sandbox_all
-} {
- appdomain
- -sdk_sandbox_all
-}:unix_stream_socket { getopt getattr read write shutdown };
+allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdown };
# Backup ability for every app. BMS opens and passes the fd
# to any app that has backup ability. Hence, no open permissions here.
diff --git a/private/sdk_sandbox_all.te b/private/sdk_sandbox_all.te
index 7776ba1..b4c655b 100644
--- a/private/sdk_sandbox_all.te
+++ b/private/sdk_sandbox_all.te
@@ -124,24 +124,3 @@
# Only dirs should be created at sdk_sandbox_all_system_data_file level
neverallow { domain -init } sdk_sandbox_system_data_file:file *;
-# Restrict unix stream sockets for IPC.
-neverallow sdk_sandbox_all {
- domain
- -sdk_sandbox_all
- -surfaceflinger
- -netd
- -logd
- -adbd
- userdebug_or_eng(`-su')
- # needed for profiling
- -traced
- -traced_perf
- -heapprofd
- # fallback crash handling for processes that can't exec crash_dump.
- -tombstoned
- -dumpstate
- # needed to connect to PRNG seeder daemon.
- -prng_seeder
- # needed by the SDK sandbox
- -system_server
-}:unix_stream_socket { create_stream_socket_perms connectto };