From 069f3cff5044a33a9ed0e6bea9b1c254f2ea9050 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Mon, 4 Jun 2018 15:45:01 -0700
Subject: [PATCH] ephemeral_app: disallow access to qtaguid files
Apps targeting API version 28+ are not allowed to access:
/proc/xt_qtaguid/*
/dev/xt_qtaguid
Instant apps should also be excluded from access.
Fixes: 92796393
Test: make -j cts_instant
cts-instant-tradefed run commandAndExit cts-instant-dev \
-m CtsPermissionTestCases \
--test android.permission.cts.FileSystemPermissionTest
Change-Id: Ifa27f6a3fad9227d4df1bf50a5120a4c36422ff7
Merged-In: I7e49f796a25cf68bc698c6c9206e24af3ae11457
---
prebuilts/api/28.0/public/app.te | 3 ---
public/app.te | 3 ---
2 files changed, 6 deletions(-)
diff --git a/prebuilts/api/28.0/public/app.te b/prebuilts/api/28.0/public/app.te
index ac11a3a10..01daaf909 100644
--- a/prebuilts/api/28.0/public/app.te
+++ b/prebuilts/api/28.0/public/app.te
@@ -178,7 +178,6 @@ userdebug_or_eng(`
allow {
untrusted_app_25
untrusted_app_27
- ephemeral_app
priv_app
system_app
platform_app
@@ -190,7 +189,6 @@ r_dir_file({ appdomain -ephemeral_app -isolated_app }, proc_net)
r_dir_file({
untrusted_app_25
untrusted_app_27
- ephemeral_app
priv_app
system_app
platform_app
@@ -201,7 +199,6 @@ r_dir_file({
allow {
untrusted_app_25
untrusted_app_27
- ephemeral_app
priv_app
system_app
platform_app
diff --git a/public/app.te b/public/app.te
index ac11a3a10..01daaf909 100644
--- a/public/app.te
+++ b/public/app.te
@@ -178,7 +178,6 @@ userdebug_or_eng(`
allow {
untrusted_app_25
untrusted_app_27
- ephemeral_app
priv_app
system_app
platform_app
@@ -190,7 +189,6 @@ r_dir_file({ appdomain -ephemeral_app -isolated_app }, proc_net)
r_dir_file({
untrusted_app_25
untrusted_app_27
- ephemeral_app
priv_app
system_app
platform_app
@@ -201,7 +199,6 @@ r_dir_file({
allow {
untrusted_app_25
untrusted_app_27
- ephemeral_app
priv_app
system_app
platform_app
--
GitLab