Drop isolated_app auditallow rule.

This functionality is being used, apparently. Addresses the following auditallow spam: type=1400 audit(0.0:1039): avc: granted { write } for comm="Chrome_ProcessL" path="/storage/emulated/0/Android/data/com.bleacherreport.android.teamstream/cache/.com.google.Chrome.sk5n91" dev="sdcardfs" ino=1877565 scontext=u:r:isolated_app:s0:c512,c768 tcontext=u:object_r:sdcardfs:s0 tclass=file Test: policy compiles. Bug: 32896414 Change-Id: I627e20c38115f1d579e78ca12abfa717d32a155a

Drop isolated_app auditallow rule.
This functionality is being used, apparently. Addresses the following auditallow spam: type=1400 audit(0.0:1039): avc: granted { write } for comm="Chrome_ProcessL" path="/storage/emulated/0/Android/data/com.bleacherreport.android.teamstream/cache/.com.google.Chrome.sk5n91" dev="sdcardfs" ino=1877565 scontext=u:r:isolated_app:s0:c512,c768 tcontext=u:object_r:sdcardfs:s0 tclass=file Test: policy compiles. Bug: 32896414 Change-Id: I627e20c38115f1d579e78ca12abfa717d32a155a
69ec0f8f · Nick Kralevich · 1e880410 · 69ec0f8f
Commit 69ec0f8f authored 7 years ago by Nick Kralevich
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -27,12 +27,9 @@ allow isolated_app self:process ptrace;
 # b/32896414: Allow accessing sdcard file descriptors passed to isolated_apps
 # by other processes. Open should never be allowed, and is blocked by
 # neverallow rules below.
-# TODO: consider removing write/append. We want to limit isolated_apps
-# ability to mutate files of any type.
 # media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs
 # is modified to change the secontext when accessing the lower filesystem.
 allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock };
-auditallow isolated_app { sdcard_type media_rw_data_file }:file { write append };
 # For webviews, isolated_app processes can be forked from the webview_zygote
 # in addition to the zygote. Allow access to resources inherited from the