am 44cb98a7: Revert "Do not allow isolated_app to directly open app data files."

* commit '44cb98a7': Revert "Do not allow isolated_app to directly open app data files."

am 44cb98a7: Revert "Do not allow isolated_app to directly open app data files."
* commit '44cb98a7': Revert "Do not allow isolated_app to directly open app data files."
f146ff1e · Nick Kralevich · Android Git Automerger · 382895d8 · 44cb98a7 · f146ff1e
Commit f146ff1e authored 10 years ago by Nick Kralevich Committed by Android Git Automerger 10 years ago
--- a/app.te
+++ b/app.te
@@ -46,8 +46,8 @@ allow appdomain appdomain:fifo_file rw_file_perms;
 allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
 # App sandbox file accesses.
-allow { appdomain -isolated_app } app_data_file:dir create_dir_perms;
+allow appdomain app_data_file:dir create_dir_perms;
-allow { appdomain -isolated_app } app_data_file:notdevfile_class_set create_file_perms;
+allow appdomain app_data_file:notdevfile_class_set create_file_perms;
 # lib subdirectory of /data/data dir is system-owned.
 allow appdomain system_data_file:dir r_dir_perms;

--- a/isolated_app.te
+++ b/isolated_app.te
@@ -12,12 +12,6 @@
 type isolated_app, domain;
 app_domain(isolated_app)
-# Access already open app data files received over Binder or local socket IPC.
-allow isolated_app app_data_file:file { read write getattr };
-# Isolated apps should not directly open app data files themselves.
-neverallow isolated_app app_data_file:file open;
 # Isolated apps shouldn't be able to access the driver directly.
 neverallow isolated_app gpu_device:file { rw_file_perms execute };