Snap for 5885124 from 859f9211 to qt-qpr1-release

Change-Id: I86bb9be9c129846714919f3c4a4568a4e4f9b4f4

Snap for 5885124 from 859f9211 to qt-qpr1-release
Change-Id: I86bb9be9c129846714919f3c4a4568a4e4f9b4f4
256f32dd · android-build-team Robot · f58c35e4 · 859f9211 · 256f32dd · 256f32dd
Commit 256f32dd authored 5 years ago by android-build-team Robot
--- a/prebuilts/api/29.0/public/domain.te
+++ b/prebuilts/api/29.0/public/domain.te
@@ -1154,6 +1154,7 @@ neverallow {
  -system_server
  -system_app
  -init
+  -toolbox # TODO(b/141108496) We want to remove toolbox
  -installd # for relabelfrom and unlink, check for this in explicit neverallow
  -vold_prepare_subdirs # For unlink
  with_asan(`-asan_extract')
@@ -1407,4 +1408,3 @@ neverallow {
  -hal_codec2_server
  -hal_omx_server
 } hal_codec2_hwservice:hwservice_manager add;
-
--- a/prebuilts/api/29.0/public/toolbox.te
+++ b/prebuilts/api/29.0/public/toolbox.te
@@ -22,3 +22,7 @@ allow toolbox swap_block_device:blk_file rw_file_perms;
 neverallow { domain -init } toolbox:process transition;
 neverallow * toolbox:process dyntransition;
 neverallow toolbox { file_type fs_type -toolbox_exec}:file entrypoint;
+
+# rm -rf directories in /data
+allow toolbox system_data_file:dir { rmdir rw_dir_perms };
+allow toolbox system_data_file:file { getattr unlink };
--- a/public/domain.te
+++ b/public/domain.te
@@ -1154,6 +1154,7 @@ neverallow {
  -system_server
  -system_app
  -init
+  -toolbox # TODO(b/141108496) We want to remove toolbox
  -installd # for relabelfrom and unlink, check for this in explicit neverallow
  -vold_prepare_subdirs # For unlink
  with_asan(`-asan_extract')
@@ -1407,4 +1408,3 @@ neverallow {
  -hal_codec2_server
  -hal_omx_server
 } hal_codec2_hwservice:hwservice_manager add;
-
--- a/public/toolbox.te
+++ b/public/toolbox.te
@@ -22,3 +22,7 @@ allow toolbox swap_block_device:blk_file rw_file_perms;
 neverallow { domain -init } toolbox:process transition;
 neverallow * toolbox:process dyntransition;
 neverallow toolbox { file_type fs_type -toolbox_exec}:file entrypoint;
+
+# rm -rf directories in /data
+allow toolbox system_data_file:dir { rmdir rw_dir_perms };
+allow toolbox system_data_file:file { getattr unlink };