Revert "Restore system_server ioctl socket access."
The underlying ioctl denial was fixed in device-specific policy.
It's not needed in core policy.
A search of SELinux denials shows no reported denials, other than the
ones showing up on marlin.
This reverts commit ec3285cde08a7ecb8de1beae7a2ec6ddf1efe5ba.
(cherrypicked from commit 863ce3e7c73aa3130eb8e14dd1b5a6ed22f0bae6)
Test: AndroiTS GPS Test app shows GPS data, no SELinux denials.
Bug: 32290392
Change-Id: I1ba7bad43a2cdd7cdebbe1c8543a71eee765621d
diff --git a/public/domain.te b/public/domain.te
index 88abff3..8cee03f 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -177,7 +177,7 @@
###
# All socket ioctls must be restricted to a whitelist.
-neverallowxperm { domain -system_server } domain:socket_class_set ioctl { 0 };
+neverallowxperm domain domain:socket_class_set ioctl { 0 };
# Do not allow any domain other than init or recovery to create unlabeled files.
neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
diff --git a/public/system_server.te b/public/system_server.te
index ac1e8bd..275ee71 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -81,7 +81,7 @@
# to the kernel. The ioctl permission is specifically omitted here, but may
# be added to device specific policy along with the ioctl commands to be
# whitelisted.
-allow system_server self:socket create_socket_perms;
+allow system_server self:socket create_socket_perms_no_ioctl;
# Set and get routes directly via netlink.
allow system_server self:netlink_route_socket nlmsg_write;