Snap for 6290860 from a68dd136aab93db5ae3e2f80b67688d06aced3ed to qt-d4-release
Change-Id: Ic07ed773f4ad7765bb3e1211bf95f035bc4d9e45
diff --git a/prebuilts/api/29.0/private/app.te b/prebuilts/api/29.0/private/app.te
index 0d9a2b4..7f06d29 100644
--- a/prebuilts/api/29.0/private/app.te
+++ b/prebuilts/api/29.0/private/app.te
@@ -2,6 +2,22 @@
# the implementation of ActivityManager.isDeviceInTestHarnessMode()
get_prop(appdomain, test_harness_prop)
+# Prevent apps from causing presubmit failures.
+# Apps can cause selinux denials by accessing CE storage
+# and/or external storage. In either case, the selinux denial is
+# not the cause of the failure, but just a symptom that
+# storage isn't ready. Many apps handle the failure appropriately.
+#
+# Apps cannot access external storage before it becomes available.
+dontaudit appdomain storage_stub_file:dir getattr;
+# Attempts to write to system_data_file is generally a sign
+# that apps are attempting to access encrypted storage before
+# the ACTION_USER_UNLOCKED intent is delivered. Apps are not
+# allowed to write to CE storage before it's available.
+# Attempting to do so will be blocked by both selinux and unix
+# permissions.
+dontaudit appdomain system_data_file:dir write;
+
neverallow appdomain system_server:udp_socket {
accept append bind create ioctl listen lock name_bind
relabelfrom relabelto setattr shutdown };
diff --git a/prebuilts/api/29.0/private/priv_app.te b/prebuilts/api/29.0/private/priv_app.te
index ab3847b..1bff418 100644
--- a/prebuilts/api/29.0/private/priv_app.te
+++ b/prebuilts/api/29.0/private/priv_app.te
@@ -186,12 +186,6 @@
allow priv_app system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
-# Attempts to write to system_data_file is generally a sign
-# that apps are attempting to access encrypted storage before
-# the ACTION_USER_UNLOCKED intent is delivered. Suppress this
-# denial to prevent apps from spamming the logs.
-dontaudit priv_app system_data_file:dir write;
-
###
### neverallow rules
###
diff --git a/prebuilts/api/29.0/private/untrusted_app_all.te b/prebuilts/api/29.0/private/untrusted_app_all.te
index 3c20c08..89fb6cb 100644
--- a/prebuilts/api/29.0/private/untrusted_app_all.te
+++ b/prebuilts/api/29.0/private/untrusted_app_all.te
@@ -173,12 +173,6 @@
# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
create_pty(untrusted_app_all)
-# Attempts to write to system_data_file is generally a sign
-# that apps are attempting to access encrypted storage before
-# the ACTION_USER_UNLOCKED intent is delivered. Suppress this
-# denial to prevent third party apps from spamming the logs.
-dontaudit untrusted_app_all system_data_file:dir write;
-
# Allow access to kcov via its ioctl interface for coverage
# guided kernel fuzzing.
userdebug_or_eng(`
diff --git a/private/app.te b/private/app.te
index 0d9a2b4..7f06d29 100644
--- a/private/app.te
+++ b/private/app.te
@@ -2,6 +2,22 @@
# the implementation of ActivityManager.isDeviceInTestHarnessMode()
get_prop(appdomain, test_harness_prop)
+# Prevent apps from causing presubmit failures.
+# Apps can cause selinux denials by accessing CE storage
+# and/or external storage. In either case, the selinux denial is
+# not the cause of the failure, but just a symptom that
+# storage isn't ready. Many apps handle the failure appropriately.
+#
+# Apps cannot access external storage before it becomes available.
+dontaudit appdomain storage_stub_file:dir getattr;
+# Attempts to write to system_data_file is generally a sign
+# that apps are attempting to access encrypted storage before
+# the ACTION_USER_UNLOCKED intent is delivered. Apps are not
+# allowed to write to CE storage before it's available.
+# Attempting to do so will be blocked by both selinux and unix
+# permissions.
+dontaudit appdomain system_data_file:dir write;
+
neverallow appdomain system_server:udp_socket {
accept append bind create ioctl listen lock name_bind
relabelfrom relabelto setattr shutdown };
diff --git a/private/priv_app.te b/private/priv_app.te
index ab3847b..1bff418 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -186,12 +186,6 @@
allow priv_app system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
-# Attempts to write to system_data_file is generally a sign
-# that apps are attempting to access encrypted storage before
-# the ACTION_USER_UNLOCKED intent is delivered. Suppress this
-# denial to prevent apps from spamming the logs.
-dontaudit priv_app system_data_file:dir write;
-
###
### neverallow rules
###
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 3c20c08..89fb6cb 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -173,12 +173,6 @@
# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
create_pty(untrusted_app_all)
-# Attempts to write to system_data_file is generally a sign
-# that apps are attempting to access encrypted storage before
-# the ACTION_USER_UNLOCKED intent is delivered. Suppress this
-# denial to prevent third party apps from spamming the logs.
-dontaudit untrusted_app_all system_data_file:dir write;
-
# Allow access to kcov via its ioctl interface for coverage
# guided kernel fuzzing.
userdebug_or_eng(`
