Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 67a8605deba6ae292d5498d7b6f489d5c64cabe0^! / .
commit67a8605deba6ae292d5498d7b6f489d5c64cabe0[log] [tgz]
authorAlan Stokes <alanstokes@google.com>Fri Jan 07 10:40:44 2022 +0000
committerAlan Stokes <alanstokes@google.com>Fri Jan 07 10:42:17 2022 +0000
treedcea4bd902ab8682bb9a0439cd192f2a87cb92cb
parent46680d001fed26e336ffa9de3a4095bc952ffa21 [diff]
Remove obsolete ioctl allow

No longer used, so remove the allow.

Bug: 199259751
Test: Presubmits
Change-Id: Iea61d29d14b13de86f7fbd6b6e416eea745b615e

diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index 36a5f53..736a135 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te

@@ -46,13 +46,6 @@
 allow microdroid_manager apex_mnt_dir:dir w_dir_perms;
 allow microdroid_manager apex_mnt_dir:file create_file_perms;
 
-# Allow microdroid_manager to ioctl /dev/vsock.
-# TODO(b/199259751): remove the below rules
-allow microdroid_manager vsock_device:chr_file r_file_perms;
-allowxperm microdroid_manager vsock_device:chr_file ioctl {
-    IOCTL_VM_SOCKETS_GET_LOCAL_CID
-};
-
 # Allow microdroid_manager to start the services apexd-vm, apkdmverity and zipfuse
 set_prop(microdroid_manager, ctl_apexd_vm_prop)
 set_prop(microdroid_manager, ctl_apkdmverity_prop)

diff --git a/microdroid/system/private/microdroid_payload.te b/microdroid/system/private/microdroid_payload.te
index 2fa101f..fea0768 100644
--- a/microdroid/system/private/microdroid_payload.te
+++ b/microdroid/system/private/microdroid_payload.te

@@ -33,12 +33,5 @@
 # Allow microdroid_payload to open binder servers via vsock.
 allow microdroid_payload self:vsock_socket { create_socket_perms_no_ioctl listen accept };
 
-# Allow microdroid_payload to ioctl /dev/vsock.
-# TODO(b/199259751): remove the below rules
-allow microdroid_payload vsock_device:chr_file r_file_perms;
-allowxperm microdroid_payload vsock_device:chr_file ioctl {
-    IOCTL_VM_SOCKETS_GET_LOCAL_CID
-};
-
 # Payload can read extra apks
 r_dir_file(microdroid_payload, extra_apk_file)