From f79d1904e85911a8d6e95cca5d988de25a6dfa55 Mon Sep 17 00:00:00 2001
From: Sandeep Patil <sspatil@google.com>
Date: Wed, 5 Apr 2017 18:58:20 -0700
Subject: [PATCH] sepolicy: remove redudant rule for symlinks in /vendor/app

All accesses to /vendor/app within platform include permissions to read
symlinks in the location. This rule is redundant now.

Bug: 36806861
Test: Boot sailfish and find no denials for 'vendor_app_file'

Change-Id: Ic17a67521cff6717d83b78bb4ad8e21e772f6d4f
Signed-off-by: Sandeep Patil <sspatil@google.com>
---
 public/domain.te | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/public/domain.te b/public/domain.te
index b744206df..addf4cf35 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -131,11 +131,6 @@ full_treble_only(`
     # through linker/loader.
     allow domain vendor_file:dir { getattr search };
 
-    # Some apps (com.android.phone) need to be able to open
-    # symlinked libraries
-    # TODO: b/36806861
-    allow domain vendor_app_file:lnk_file { open read };
-
     # Allow reading and executing out of /vendor to all vendor domains
     allow { domain -coredomain } vendor_file_type:dir r_dir_perms;
     allow { domain -coredomain } vendor_file_type:file { read open getattr execute };
-- 
GitLab