From 68748c2166847469a06347e6d22e20d8e35107d8 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Thu, 15 Oct 2015 17:11:27 -0700
Subject: [PATCH] Remove untrusted_app access to cache

neverallow access to untrusted_app and isolated app

Access to cache is a system|signature permission. Only
priv/system/platform apps should be allowed access.

Change-Id: I7ebd38ce6d39950e74c0a164479bc59e694c852d
---
 isolated_app.te  | 4 ++++
 untrusted_app.te | 8 ++++----
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/isolated_app.te b/isolated_app.te
index 463f02d07..0fab85e10 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -46,3 +46,7 @@ neverallow isolated_app {
 
 # Isolated apps shouldn't be able to access the driver directly.
 neverallow isolated_app gpu_device:chr_file { rw_file_perms execute };
+
+# Do not allow isolated_app access to /cache
+neverallow isolated_app cache_file:dir ~{ r_dir_perms };
+neverallow isolated_app cache_file:file ~{ read getattr };
diff --git a/untrusted_app.te b/untrusted_app.te
index b4cb6aad8..1778c2232 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -70,10 +70,6 @@ allow untrusted_app media_rw_data_file:file create_file_perms;
 # TODO: narrow this to just MediaProvider
 allow untrusted_app mnt_media_rw_file:dir search;
 
-# Write to /cache.
-allow untrusted_app cache_file:dir create_dir_perms;
-allow untrusted_app cache_file:file create_file_perms;
-
 allow untrusted_app drmserver_service:service_manager find;
 allow untrusted_app mediaserver_service:service_manager find;
 allow untrusted_app nfc_service:service_manager find;
@@ -151,3 +147,7 @@ neverallow untrusted_app sysfs_mac_address:file no_rw_file_perms;
 
 # Do not allow untrusted app to directly open tun_device
 neverallow untrusted_app tun_device:chr_file open;
+
+# Do not allow untrusted_app access to /cache
+neverallow untrusted_app cache_file:dir ~{ r_dir_perms };
+neverallow untrusted_app cache_file:file ~{ read getattr };
-- 
GitLab