Merge "Revert "Remove implicit access for isolated_app"" into main am: 405e221ae3 am: a2e3b749ae am: 43e891113b

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2863039 Change-Id: I6eed302ff308f0d64c599250e091aef9215a4702 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2023-12-12 02:40:19 +00:00 · 2023-12-12 02:40:19 +00:00 · 5b69d79b50
commit 5b69d79b50
parent 0c455d18f6 43e891113b
1 changed files with 10 additions and 10 deletions
--- a/private/app.te
+++ b/private/app.te
@ -137,14 +137,14 @@ allow appdomain tombstone_data_file:file { getattr read };
 neverallow appdomain tombstone_data_file:file ~{ getattr read };
 # Execute the shell or other system executables.
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } shell_exec:file rx_file_perms;
+allow { appdomain -ephemeral_app -sdk_sandbox_all } shell_exec:file rx_file_perms;
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } toolbox_exec:file rx_file_perms;
+allow { appdomain -ephemeral_app -sdk_sandbox_all } toolbox_exec:file rx_file_perms;
-not_full_treble(`allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } vendor_file:file x_file_perms;')
+not_full_treble(`allow { appdomain -ephemeral_app -sdk_sandbox_all } vendor_file:file x_file_perms;')
 # Allow apps access to /vendor/app except for privileged
 # apps which cannot be in /vendor.
-r_dir_file({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, vendor_app_file)
+r_dir_file({ appdomain -ephemeral_app -sdk_sandbox_all }, vendor_app_file)
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } vendor_app_file:file execute;
+allow { appdomain -ephemeral_app -sdk_sandbox_all } vendor_app_file:file execute;
 # Perform binder IPC to sdk sandbox.
 binder_call(appdomain, sdk_sandbox_all)
@ -176,7 +176,7 @@ allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } usb_device
 allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } usbaccessory_device:chr_file { read write getattr };
 #logd access
-control_logd({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all })
+control_logd({ appdomain -ephemeral_app -sdk_sandbox_all })
 # application inherit logd write socket (urge is to deprecate this long term)
 allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:keystore2_key { delete use get_info rebind update };
@ -315,16 +315,16 @@ allow appdomain {vendor_public_framework_file vendor_public_lib_file}:dir r_dir_
 allow appdomain {vendor_public_framework_file vendor_public_lib_file}:file { execute read open getattr map };
 # Read/write wallpaper file (opened by system).
-allow { appdomain -isolated_app_all } wallpaper_file:file { getattr read write map };
+allow appdomain wallpaper_file:file { getattr read write map };
 # Read/write cached ringtones (opened by system).
-allow { appdomain -isolated_app_all } ringtone_file:file { getattr read write map };
+allow appdomain ringtone_file:file { getattr read write map };
 # Read ShortcutManager icon files (opened by system).
-allow { appdomain -isolated_app_all } shortcut_manager_icons:file { getattr read map };
+allow appdomain shortcut_manager_icons:file { getattr read map };
 # Read icon file (opened by system).
-allow { appdomain -isolated_app_all } icon_file:file { getattr read map };
+allow appdomain icon_file:file { getattr read map };
 # Old stack dumping scheme : append to a global trace file (/data/anr/traces.txt).
 #