Revert "Prevent isolated_app from searching system_data_file."

This reverts commit 8dea731805. Reason for revert: b/162048565: broke access to /data/misc/shared_relro Change-Id: Ia0f7b6bd575f1d1c95f11a356a5463b72dde9b10
2020-10-15 16:44:52 +00:00 · 2020-10-15 16:44:52 +00:00 · 0a364c35e5
commit 0a364c35e5
parent 8dea731805
2 changed files with 3 additions and 8 deletions
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@ -74,9 +74,6 @@ can_profile_perf(isolated_app)
 # Isolated apps should not directly open app data files themselves.
 neverallow isolated_app { app_data_file privapp_data_file }:file open;

-# Isolated aps should not be directly accessing system directories
-neverallow isolated_app system_data_file:dir search;
-
 # Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
 # TODO: are there situations where isolated_apps write to this file?
 # TODO: should we tighten these restrictions further?
--- a/public/domain.te
+++ b/public/domain.te
@ -229,12 +229,10 @@ not_full_treble(`
  allow domain system_data_file:dir getattr;
 ')
 allow { coredomain appdomain } system_data_file:dir getattr;
-# /data has the label system_data_root_file. Many components need search
-# permission on system_data_root_file for path traversal.
+# /data has the label system_data_root_file. Vendor components need the search
+# permission on system_data_root_file for path traversal to /data/vendor.
 allow domain system_data_root_file:dir { search getattr } ;
-# Isolated apps have no need to traverse system_data_file dirs
-allow { domain -isolated_app } system_data_file:dir search;
-# Vendor components need access to /dara/vendor
+allow domain system_data_file:dir search;
 # TODO restrict this to non-coredomain
 allow domain vendor_data_file:dir { getattr search };