Google Git
Sign in
android / platform / external / sepolicy / l-preview^! / .
commit44cb98a7647303aedc9f89ef9a14937f59bec6ed[log] [tgz]
authorNick Kralevich <nnk@google.com>Fri Oct 17 18:26:28 2014 +0000
committerNick Kralevich <nnk@google.com>Fri Oct 17 18:30:18 2014 +0000
treeb113e82a9379e040a26c203306c7c8529e56346f
parente9623d8fe698c4600660ec4a7598f0d6cf083e3a [diff]
Revert "Do not allow isolated_app to directly open app data files."

This is causing the version of Chrome in Android's tree to crash. The
version of Chrome in Android's tree does not have the following patch:
https://codereview.chromium.org/630123003

Until Chrome updates the version in Android's tree, we need to revert.

Works around the following denials:

audit(0.0:19): avc: denied { search } for name="com.android.chrome" dev="mmcblk0p28" ino=1474658 scontext=u:r:isolated_app:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir
audit(0.0:20): avc: denied { getattr } for path="/data/data/com.android.chrome" dev="mmcblk0p28" ino=1474658 scontext=u:r:isolated_app:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir
audit(0.0:21): avc: denied { getattr } for path="/data/data/com.android.chrome" dev="mmcblk0p28" ino=1474658 scontext=u:r:isolated_app:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir

This reverts commit 669a97730376e919813411fcfdddac35bd7236ae.

Bug: 18006219
Change-Id: Id44137ec6a0dfe4a597b34ab3dad9e3feecc2a5e
diff --git a/app.te b/app.te
index d03b9aa..ea74cb0 100644
--- a/app.te
+++ b/app.te

@@ -46,8 +46,8 @@
 allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
 
 # App sandbox file accesses.
-allow { appdomain -isolated_app } app_data_file:dir create_dir_perms;
-allow { appdomain -isolated_app } app_data_file:notdevfile_class_set create_file_perms;
+allow appdomain app_data_file:dir create_dir_perms;
+allow appdomain app_data_file:notdevfile_class_set create_file_perms;
 
 # lib subdirectory of /data/data dir is system-owned.
 allow appdomain system_data_file:dir r_dir_perms;

diff --git a/isolated_app.te b/isolated_app.te
index 6fc7a99..f17372a 100644
--- a/isolated_app.te
+++ b/isolated_app.te

@@ -12,12 +12,6 @@
 type isolated_app, domain;
 app_domain(isolated_app)
 
-# Access already open app data files received over Binder or local socket IPC.
-allow isolated_app app_data_file:file { read write getattr };
-
-# Isolated apps should not directly open app data files themselves.
-neverallow isolated_app app_data_file:file open;
-
 # Isolated apps shouldn't be able to access the driver directly.
 neverallow isolated_app gpu_device:file { rw_file_perms execute };