Further lock down app data am: 0b67bb88 am: 90e1c5bf

am: 903377ef Change-Id: I5ec26b7f0a7e781ad3e806b63c4a0ec963e21b2f

Further lock down app data am: 0b67bb88 am: 90e1c5bf
am: 903377ef Change-Id: I5ec26b7f0a7e781ad3e806b63c4a0ec963e21b2f
243f4d19 · Jeff Vander Stoep · android-build-merger · 260bf4b5 · 903377ef · 243f4d19
Commit 243f4d19 authored 6 years ago by Jeff Vander Stoep Committed by android-build-merger 6 years ago
--- a/private/domain.te
+++ b/private/domain.te
@@ -142,12 +142,10 @@ neverallow {
  -dexoptanalyzer
  -init
  -installd
-  -mediaserver # b/80300620
  userdebug_or_eng(`-perfprofd')
  -profman
  -runas
  -system_server
-  -vold
 } { privapp_data_file app_data_file }:dir *;

 # Only apps should be modifying app data. init and installd are exempted for
@@ -163,9 +161,7 @@ neverallow {
  domain
  -appdomain
  -installd
-  -mediaserver # b/80300620
  userdebug_or_eng(`-perfprofd')
-  -vold # b/80418809
 } { privapp_data_file app_data_file }:file_class_set open;

 neverallow {

--- a/public/domain.te
+++ b/public/domain.te
@@ -1280,7 +1280,6 @@ neverallow {
  domain
  -appdomain
  -installd
-  -uncrypt  # TODO: see if we can remove
 } { app_data_file privapp_data_file }:lnk_file read;

 neverallow {

--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -27,11 +27,7 @@ binder_service(mediaserver)

 allow mediaserver media_data_file:dir create_dir_perms;
 allow mediaserver media_data_file:file create_file_perms;
-# TODO(b/80190017, b/80300620): remove direct access to private app data
-userdebug_or_eng(`auditallow mediaserver { app_data_file privapp_data_file }:dir search;')
-allow mediaserver { app_data_file privapp_data_file }:dir search;
-userdebug_or_eng(`auditallow mediaserver { app_data_file privapp_data_file }:file open;')
-allow mediaserver { app_data_file privapp_data_file }:file rw_file_perms;
+allow mediaserver { app_data_file privapp_data_file }:file { append getattr ioctl lock map read write };
 allow mediaserver sdcard_type:file write;
 allow mediaserver gpu_device:chr_file rw_file_perms;
 allow mediaserver video_device:dir r_dir_perms;

--- a/public/vold.te
+++ b/public/vold.te
@@ -81,11 +81,6 @@ allow vold tmpfs:dir create_dir_perms;
 allow vold tmpfs:dir mounton;
 allow vold self:global_capability_class_set { net_admin dac_override dac_read_search mknod sys_admin chown fowner fsetid };
 allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-# TODO(b/80418809): remove direct access to private app data
-userdebug_or_eng(`auditallow vold { app_data_file privapp_data_file }:dir search;')
-allow vold { app_data_file privapp_data_file }:dir search;
-userdebug_or_eng(`auditallow vold { app_data_file privapp_data_file }:file rw_file_perms;')
-allow vold { app_data_file privapp_data_file }:file rw_file_perms;
 allow vold loop_control_device:chr_file rw_file_perms;
 allow vold loop_device:blk_file { create setattr unlink rw_file_perms };
 allow vold vold_device:blk_file { create setattr unlink rw_file_perms };