domain_deprecated: Remove access to /data/app

Logs indicate that all processes that require access already have it. Bug: 28760354 Test: build Change-Id: I8533308d0e5f9bf20e542f8435d70ba7755b4938

domain_deprecated: Remove access to /data/app
Logs indicate that all processes that require access already have it. Bug: 28760354 Test: build Change-Id: I8533308d0e5f9bf20e542f8435d70ba7755b4938
21b4a925 · Jeff Vander Stoep · 6775ee15 · 21b4a925
Commit 21b4a925 authored 7 years ago by Jeff Vander Stoep
--- a/private/domain_deprecated.te
+++ b/private/domain_deprecated.te
 # rules removed from the domain attribute

-# Read apk files under /data/app.
-allow domain_deprecated apk_data_file:dir { getattr search };
-allow domain_deprecated apk_data_file:file r_file_perms;
-allow domain_deprecated apk_data_file:lnk_file r_file_perms;
-userdebug_or_eng(`
-auditallow {
-  domain_deprecated
-  -appdomain
-  -dex2oat
-  -installd
-  -system_server
-} apk_data_file:dir { getattr search };
-auditallow {
-  domain_deprecated
-  -appdomain
-  -dex2oat
-  -installd
-  -system_server
-} apk_data_file:file r_file_perms;
-auditallow {
-  domain_deprecated
-  -appdomain
-  -dex2oat
-  -installd
-  -system_server
-} apk_data_file:lnk_file r_file_perms;
-')
-
 # Read access to pseudo filesystems.
 r_dir_file(domain_deprecated, proc)
 r_dir_file(domain_deprecated, sysfs)