toolbox.te: remove unneeded FS_IOC_FS[GS]ETXATTR permission
These ioctls don't need to be allowed, as they'd only be needed to set
project quota IDs. But this is only done by other domains (installd,
vold, and mediaprovider_app). Probably it was originally planned for an
init script to run 'chattr -p ID', but this didn't end up happening.
This is a basically revert of commit 4de3228c461d ("Allow toolbox to set
project quota IDs.") (https://r.android.com/1224007).
Also remove an outdated comment at the top of the file.
Test: booted Cuttlefish, no denials seen.
Change-Id: If61179a35f419c6cbfcf1432a86b2c1375db71ed
diff --git a/public/toolbox.te b/public/toolbox.te
index 4c2cc3e..93adbc4 100644
--- a/public/toolbox.te
+++ b/public/toolbox.te
@@ -1,5 +1,4 @@
# Any toolbox command run by init.
-# At present, the only known usage is for running mkswap via fs_mgr.
# Do NOT use this domain for toolbox when run by any other domain.
type toolbox, domain;
type toolbox_exec, system_file_type, exec_type, file_type;
@@ -28,11 +27,6 @@
allow toolbox system_data_file:dir { rmdir rw_dir_perms };
allow toolbox system_data_file:file { getattr unlink };
-# chattr +F and chattr +P /data/media in init
+# chattr +F /data/media in init
allow toolbox media_rw_data_file:dir { r_dir_perms setattr };
-allowxperm toolbox media_rw_data_file:dir ioctl {
- FS_IOC_FSGETXATTR
- FS_IOC_FSSETXATTR
- FS_IOC_GETFLAGS
- FS_IOC_SETFLAGS
-};
+allowxperm toolbox media_rw_data_file:dir ioctl { FS_IOC_SETFLAGS FS_IOC_GETFLAGS };