userdomain: no longer allow unprivileged users to read kernel symbols

Unprivileged users don't need to read kallsyms and /boot/System.map. This allow rule was introduced in the initial revision of userdomain.if in 2005, with commit b16c6b8c32a631a2e66265f6f60b664222760972: # cjp: why? bootloader_read_kernel_symbol_table($1_t)
2014-03-23 22:20:22 +01:00 · 2014-03-23 22:20:22 +01:00 · 27f4846ff8
parent aa3fa6d2fd
commit 27f4846ff8
1 changed files with 0 additions and 2 deletions
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@ -1005,8 +1005,6 @@ template(`userdom_unpriv_user_template', `
 	corenet_tcp_bind_xserver_port($1_t)

 	files_exec_usr_files($1_t)
-	# cjp: why?
-	files_read_kernel_symbol_table($1_t)

 	ifndef(`enable_mls',`
 		fs_exec_noxattr($1_t)