Google Git
Sign in
android / platform / system / sepolicy / refs/tags/android-10.0.0_r27^1..refs/tags/android-10.0.0_r27 / .
commit256f32dd3ff50ff33654867aea858c10aa698a0e[log] [tgz]
authorandroid-build-team Robot <android-build-team-robot@google.com>Thu Sep 19 03:15:51 2019 +0000
committerandroid-build-team Robot <android-build-team-robot@google.com>Thu Sep 19 03:15:51 2019 +0000
tree8b7ab6c2b549da445be006b0a22332c16dcae10b
parentf58c35e4bf89d4080f485b27881d87d2e9331f33 [diff]
parent859f9211d802e1c210ccf15674c3bd6dc60c3681 [diff]
Snap for 5885124 from 859f9211d802e1c210ccf15674c3bd6dc60c3681 to qt-qpr1-release

Change-Id: I86bb9be9c129846714919f3c4a4568a4e4f9b4f4

diff --git a/prebuilts/api/29.0/public/domain.te b/prebuilts/api/29.0/public/domain.te
index 987bb9f..f348701 100644
--- a/prebuilts/api/29.0/public/domain.te
+++ b/prebuilts/api/29.0/public/domain.te

@@ -1154,6 +1154,7 @@
   -system_server
   -system_app
   -init
+  -toolbox # TODO(b/141108496) We want to remove toolbox
   -installd # for relabelfrom and unlink, check for this in explicit neverallow
   -vold_prepare_subdirs # For unlink
   with_asan(`-asan_extract')
@@ -1407,4 +1408,3 @@
   -hal_codec2_server
   -hal_omx_server
 } hal_codec2_hwservice:hwservice_manager add;
-

diff --git a/prebuilts/api/29.0/public/toolbox.te b/prebuilts/api/29.0/public/toolbox.te
index 19cc3b6..fcf0ec3 100644
--- a/prebuilts/api/29.0/public/toolbox.te
+++ b/prebuilts/api/29.0/public/toolbox.te

@@ -22,3 +22,7 @@
 neverallow { domain -init } toolbox:process transition;
 neverallow * toolbox:process dyntransition;
 neverallow toolbox { file_type fs_type -toolbox_exec}:file entrypoint;
+
+# rm -rf directories in /data
+allow toolbox system_data_file:dir { rmdir rw_dir_perms };
+allow toolbox system_data_file:file { getattr unlink };

diff --git a/public/domain.te b/public/domain.te
index 987bb9f..f348701 100644
--- a/public/domain.te
+++ b/public/domain.te

@@ -1154,6 +1154,7 @@
   -system_server
   -system_app
   -init
+  -toolbox # TODO(b/141108496) We want to remove toolbox
   -installd # for relabelfrom and unlink, check for this in explicit neverallow
   -vold_prepare_subdirs # For unlink
   with_asan(`-asan_extract')
@@ -1407,4 +1408,3 @@
   -hal_codec2_server
   -hal_omx_server
 } hal_codec2_hwservice:hwservice_manager add;
-

diff --git a/public/toolbox.te b/public/toolbox.te
index 19cc3b6..fcf0ec3 100644
--- a/public/toolbox.te
+++ b/public/toolbox.te

@@ -22,3 +22,7 @@
 neverallow { domain -init } toolbox:process transition;
 neverallow * toolbox:process dyntransition;
 neverallow toolbox { file_type fs_type -toolbox_exec}:file entrypoint;
+
+# rm -rf directories in /data
+allow toolbox system_data_file:dir { rmdir rw_dir_perms };
+allow toolbox system_data_file:file { getattr unlink };