Remove zygote write access to system_data_file.

These rules seem to be a legacy of old Android or perhaps old policy before we began splitting types on /data. I have not been able to trigger the auditallow rules on AOSP master. Reduce the rules to only read access to system data. If we need write access to some specific directory under /data, we should introduce a type for it. Change-Id: I780835950cc366c97b7d0901fc73527d9ea479b1 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Remove zygote write access to system_data_file.
These rules seem to be a legacy of old Android or perhaps old policy before we began splitting types on /data. I have not been able to trigger the auditallow rules on AOSP master. Reduce the rules to only read access to system data. If we need write access to some specific directory under /data, we should introduce a type for it. Change-Id: I780835950cc366c97b7d0901fc73527d9ea479b1 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
df48bd2c · Stephen Smalley · f78fb4e0 · df48bd2c
Commit df48bd2c authored 10 years ago by Stephen Smalley
--- a/zygote.te
+++ b/zygote.te
@@ -17,11 +17,10 @@ allow zygote appdomain:file { r_file_perms };
 # Move children into the peer process group.
 allow zygote system_server:process { getpgid setpgid };
 allow zygote appdomain:process { getpgid setpgid };
-# Write to system data.
-allow zygote system_data_file:dir rw_dir_perms;
-allow zygote system_data_file:file create_file_perms;
-auditallow zygote system_data_file:dir { write add_name remove_name };
-auditallow zygote system_data_file:file { create setattr write append link unlink rename };
+# Read system data.
+allow zygote system_data_file:dir r_dir_perms;
+allow zygote system_data_file:file r_file_perms;
+# Write to /data/dalvik-cache.
 allow zygote dalvikcache_data_file:dir create_dir_perms;
 allow zygote dalvikcache_data_file:file create_file_perms;
 # For art.