From 69ec0f8f240d092c83434bd519133a6f4caf0cdc Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Wed, 4 Oct 2017 14:17:19 -0700
Subject: [PATCH] Drop isolated_app auditallow rule.

This functionality is being used, apparently.

Addresses the following auditallow spam:

  type=1400 audit(0.0:1039): avc: granted { write } for
  comm="Chrome_ProcessL"
  path="/storage/emulated/0/Android/data/com.bleacherreport.android.teamstream/cache/.com.google.Chrome.sk5n91"
  dev="sdcardfs" ino=1877565 scontext=u:r:isolated_app:s0:c512,c768
  tcontext=u:object_r:sdcardfs:s0 tclass=file

Test: policy compiles.
Bug: 32896414
Change-Id: I627e20c38115f1d579e78ca12abfa717d32a155a
---
 private/isolated_app.te | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/private/isolated_app.te b/private/isolated_app.te
index 37935c395..951a0df25 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -27,12 +27,9 @@ allow isolated_app self:process ptrace;
 # b/32896414: Allow accessing sdcard file descriptors passed to isolated_apps
 # by other processes. Open should never be allowed, and is blocked by
 # neverallow rules below.
-# TODO: consider removing write/append. We want to limit isolated_apps
-# ability to mutate files of any type.
 # media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs
 # is modified to change the secontext when accessing the lower filesystem.
 allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock };
-auditallow isolated_app { sdcard_type media_rw_data_file }:file { write append };
 
 # For webviews, isolated_app processes can be forked from the webview_zygote
 # in addition to the zygote. Allow access to resources inherited from the
-- 
GitLab