simplify neverallowxperm for tun_device Test: builds, atest Signed-off-by: Maciej Żenczykowski <maze@google.com> Change-Id: Ia92fc0b9a805763779a13cad6ad3137c9327ca61

commit: e346fbc0445f7c188111d20154eb62d8b2a4bc72 [log] [tgz]
author: Maciej Żenczykowski <maze@google.com> Tue Jul 07 17:39:22 2020 -0700
committer: Maciej Żenczykowski <maze@google.com> Tue Jul 07 18:41:56 2020 -0700
tree: 9f251cec0a42ef66f95d05c6556f433ffa6a0381
parent: 42f9a5337af114570c10c236be71f76747f59d9e [diff] [blame]
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 1157187..12357c7 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te

@@ -154,28 +154,7 @@
 # The tun_device ioctls below are not allowed, to prove equivalence
 # to the kernel patch at
 # https://android.googlesource.com/kernel/common/+/11cee2be0c2062ba88f04eb51196506f870a3b5d%5E%21
-neverallowxperm all_untrusted_apps tun_device:chr_file ioctl {
-  SIOCGIFHWADDR
-  SIOCSIFHWADDR
-  TUNATTACHFILTER
-  TUNDETACHFILTER
-  TUNGETFEATURES
-  TUNGETFILTER
-  TUNGETSNDBUF
-  TUNGETVNETHDRSZ
-  TUNSETDEBUG
-  TUNSETGROUP
-  TUNSETIFF
-  TUNSETLINK
-  TUNSETNOCSUM
-  TUNSETOFFLOAD
-  TUNSETOWNER
-  TUNSETPERSIST
-  TUNSETQUEUE
-  TUNSETSNDBUF
-  TUNSETTXFILTER
-  TUNSETVNETHDRSZ
-};
+neverallowxperm all_untrusted_apps tun_device:chr_file ioctl ~{ FIOCLEX FIONCLEX TUNGETIFF };
 
 # Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
 neverallow all_untrusted_apps anr_data_file:file ~{ open append };
commit	e346fbc0445f7c188111d20154eb62d8b2a4bc72	[log] [tgz]
author	Maciej Żenczykowski <maze@google.com>	Tue Jul 07 17:39:22 2020 -0700
committer	Maciej Żenczykowski <maze@google.com>	Tue Jul 07 18:41:56 2020 -0700
tree	9f251cec0a42ef66f95d05c6556f433ffa6a0381
parent	42f9a5337af114570c10c236be71f76747f59d9e [diff] [blame]