Merge "Revert "Allow rule to let settings access apex files"" am: 71e1c36956 am: be678acc85

am: 7f1dd65024

Change-Id: Ie1ca6f6bf2e1b7d956583a7eaa32ebbe7c04a89e

prebuilts/api/29.0/private/domain.te

@@ -169,7 +169,7 @@ neverallow {
 # do not change between system_server staging the files and apexd processing
 # the files.
 neverallow { domain -init -system_server -apexd -installd} staging_data_file:dir *;
-neverallow { domain -init -system_app -system_server -apexd -kernel -installd } staging_data_file:file *;
+neverallow { domain -init -system_server -apexd -kernel -installd } staging_data_file:file *;
 neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
 # apexd needs the link and unlink permissions, so list every `no_w_file_perms`
 # except for `link` and `unlink`.

prebuilts/api/29.0/private/system_app.te

@@ -24,12 +24,6 @@ allow system_app misc_user_data_file:file create_file_perms;
 # Access to vold-mounted storage for measuring free space
 allow system_app mnt_media_rw_file:dir search;
 
-# Access to apex files stored on /data (b/136063500)
-# Needed so that Settings can access NOTICE files inside apex
-# files located in the assets/ directory.
-allow system_app apex_data_file:dir search;
-allow system_app staging_data_file:file r_file_perms;
-
 # Read wallpaper file.
 allow system_app wallpaper_file:file r_file_perms;
 

prebuilts/api/29.0/private/system_server.te

@@ -1012,7 +1012,7 @@ wakelock_use(system_server)
 # needs these privileges to compare file signatures while processing installs.
 #
 # Only apexd is allowed to create new entries or write to any file under /data/apex.
-allow system_server apex_data_file:dir { getattr search };
+allow system_server apex_data_file:dir search;
 allow system_server apex_data_file:file r_file_perms;
 
 # Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can

private/domain.te

@@ -169,7 +169,7 @@ neverallow {
 # do not change between system_server staging the files and apexd processing
 # the files.
 neverallow { domain -init -system_server -apexd -installd} staging_data_file:dir *;
-neverallow { domain -init -system_app -system_server -apexd -kernel -installd } staging_data_file:file *;
+neverallow { domain -init -system_server -apexd -kernel -installd } staging_data_file:file *;
 neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
 # apexd needs the link and unlink permissions, so list every `no_w_file_perms`
 # except for `link` and `unlink`.

private/system_app.te

@@ -24,12 +24,6 @@ allow system_app misc_user_data_file:file create_file_perms;
 # Access to vold-mounted storage for measuring free space
 allow system_app mnt_media_rw_file:dir search;
 
-# Access to apex files stored on /data (b/136063500)
-# Needed so that Settings can access NOTICE files inside apex
-# files located in the assets/ directory.
-allow system_app apex_data_file:dir search;
-allow system_app staging_data_file:file r_file_perms;
-
 # Read wallpaper file.
 allow system_app wallpaper_file:file r_file_perms;
 

private/system_server.te

@@ -1015,7 +1015,7 @@ wakelock_use(system_server)
 # needs these privileges to compare file signatures while processing installs.
 #
 # Only apexd is allowed to create new entries or write to any file under /data/apex.
-allow system_server apex_data_file:dir { getattr search };
+allow system_server apex_data_file:dir search;
 allow system_server apex_data_file:file r_file_perms;
 
 # Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can