Commits

Stephen Smalley committed 09258ad

Drop domain write access to sysfs for the emulator.

3.4 goldfish kernel supports sysfs labeling so we no longer need this.

Change-Id: I77514a8f3102ac8be957c57d95e7de7d5901f69d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Comments (0)

Files changed (2)

 neverallow appdomain efs_file:dir_file_class_set { read write };
 
 # Write to various pseudo file systems.
-# Violated by in_qemu conditional rule so commented out for now.
-#neverallow { appdomain -nfc } sysfs:dir_file_class_set write;
+neverallow { appdomain -nfc } sysfs:dir_file_class_set write;
 neverallow { appdomain -system_app } selinuxfs:dir_file_class_set write;
 neverallow appdomain proc:dir_file_class_set write;
 # For /sys/qemu_trace files in the emulator.
 bool in_qemu false;
 if (in_qemu) {
-allow domain sysfs:file rw_file_perms;
-}
 allow domain sysfs_writable:file rw_file_perms;
+}
 
 # Read access to pseudo filesystems.
 r_dir_file(domain, proc)