sepolicy: restrict access for /vendor/framework.

/vendor/framework is now designated location for vendor's platform libraries. The directory is thus only made available for 'dex2oat' coredomain. Bug: 36680116 Test: Boot sailfish & angler and launch gApps, dialer w/ no denials for 'vendor_framework_file' Change-Id: I24c2ec30f836330005a972ae20d839bef9dcb8aa Signed-off-by: Sandeep Patil <sspatil@google.com>

sepolicy: restrict access for /vendor/framework.
/vendor/framework is now designated location for vendor's platform libraries. The directory is thus only made available for 'dex2oat' coredomain. Bug: 36680116 Test: Boot sailfish & angler and launch gApps, dialer w/ no denials for 'vendor_framework_file' Change-Id: I24c2ec30f836330005a972ae20d839bef9dcb8aa Signed-off-by: Sandeep Patil <sspatil@google.com>
df679fdb · Sandeep Patil · 9075699a · df679fdb · df679fdb
Commit df679fdb authored 7 years ago by Sandeep Patil
--- a/public/dex2oat.te
+++ b/public/dex2oat.te
@@ -5,6 +5,9 @@ type dex2oat_exec, exec_type, file_type;
 r_dir_file(dex2oat, apk_data_file)
 # Access to /vendor/app
 r_dir_file(dex2oat, vendor_app_file)
+# Access /vendor/framework
+allow dex2oat vendor_framework_file:dir { getattr search };
+allow dex2oat vendor_framework_file:file { getattr open read };

 allow dex2oat tmpfs:file { read getattr };


--- a/public/domain.te
+++ b/public/domain.te
@@ -136,11 +136,6 @@ full_treble_only(`
    # TODO: b/36806861
    allow domain vendor_app_file:lnk_file { open read };

-    # TODO: b/36680116, find out who neeeds access and only allow
-    # specific domains
-    allow domain vendor_framework_file:dir r_dir_perms;
-    allow domain vendor_framework_file:file { read open getattr };
-
    # Allow reading and executing out of /vendor to all vendor domains
    allow { domain -coredomain } vendor_file_type:dir r_dir_perms;
    allow { domain -coredomain } vendor_file_type:file { read open getattr execute };