Don't allow dexoptanalyzer to open app_data_files

Test: manual(installd flow without sepolicy denials) Bug: 67111829 Change-Id: I7ac1a86e731ec5900eec83608b4765a6818f2fd0

Don't allow dexoptanalyzer to open app_data_files
Test: manual(installd flow without sepolicy denials) Bug: 67111829 Change-Id: I7ac1a86e731ec5900eec83608b4765a6818f2fd0
b8a42499 · Shubham Ajmera · bf4786cf · b8a42499
Commit b8a42499 authored 7 years ago by Shubham Ajmera
--- a/private/dexoptanalyzer.te
+++ b/private/dexoptanalyzer.te
@@ -20,7 +20,7 @@ allow dexoptanalyzer installd:fd use;
 # Allow reading secondary dex files that were reported by the app to the
 # package manager.
 allow dexoptanalyzer app_data_file:dir { getattr search };
-allow dexoptanalyzer app_data_file:file r_file_perms;
+allow dexoptanalyzer app_data_file:file { getattr read };
 # dexoptanalyzer calls access(2) with W_OK flag on app data. We can use the
 # "dontaudit...audit_access" policy line to suppress the audit access without
 # suppressing denial on actual access.