From df679fdbd9bf5d5828693a72fe6158535689b279 Mon Sep 17 00:00:00 2001
From: Sandeep Patil <sspatil@google.com>
Date: Wed, 5 Apr 2017 18:28:01 -0700
Subject: [PATCH] sepolicy: restrict access for /vendor/framework.

/vendor/framework is now designated location for vendor's platform
libraries. The directory is thus only made available for 'dex2oat'
coredomain.

Bug: 36680116
Test: Boot sailfish & angler and launch gApps, dialer w/ no denials for
      'vendor_framework_file'

Change-Id: I24c2ec30f836330005a972ae20d839bef9dcb8aa
Signed-off-by: Sandeep Patil <sspatil@google.com>
---
 public/dex2oat.te | 3 +++
 public/domain.te  | 5 -----
 2 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/public/dex2oat.te b/public/dex2oat.te
index bbd3c72f9..2fb233649 100644
--- a/public/dex2oat.te
+++ b/public/dex2oat.te
@@ -5,6 +5,9 @@ type dex2oat_exec, exec_type, file_type;
 r_dir_file(dex2oat, apk_data_file)
 # Access to /vendor/app
 r_dir_file(dex2oat, vendor_app_file)
+# Access /vendor/framework
+allow dex2oat vendor_framework_file:dir { getattr search };
+allow dex2oat vendor_framework_file:file { getattr open read };
 
 allow dex2oat tmpfs:file { read getattr };
 
diff --git a/public/domain.te b/public/domain.te
index ffa8d44a8..b744206df 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -136,11 +136,6 @@ full_treble_only(`
     # TODO: b/36806861
     allow domain vendor_app_file:lnk_file { open read };
 
-    # TODO: b/36680116, find out who neeeds access and only allow
-    # specific domains
-    allow domain vendor_framework_file:dir r_dir_perms;
-    allow domain vendor_framework_file:file { read open getattr };
-
     # Allow reading and executing out of /vendor to all vendor domains
     allow { domain -coredomain } vendor_file_type:dir r_dir_perms;
     allow { domain -coredomain } vendor_file_type:file { read open getattr execute };
-- 
GitLab