From 5b73b80b0d196a1fffd9525abe151ea46058673a Mon Sep 17 00:00:00 2001 From: Alan Stokes Date: Tue, 22 Dec 2020 15:43:23 +0000 Subject: [PATCH] Make shared_relro policy private. Nothing should be depending on the details. I haven't removed public/shared_relro.te entirely - there's a reference to shared_relro in public/app.te, and at least one reference to the domain outside of system policy. Fix: 175867372 Test: Presubmits Change-Id: I5fd4090f4b445520c4fa767c1835a5bb4e9cb146 --- private/shared_relro.te | 10 ++++++++++ public/shared_relro.te | 12 ------------ 2 files changed, 10 insertions(+), 12 deletions(-) diff --git a/private/shared_relro.te b/private/shared_relro.te index 02f720682..31fdb8c91 100644 --- a/private/shared_relro.te +++ b/private/shared_relro.te @@ -3,3 +3,13 @@ typeattribute shared_relro coredomain; # The shared relro process is a Java program forked from the zygote, so it # inherits from app to get basic permissions it needs to run. app_domain(shared_relro) + +allow shared_relro shared_relro_file:dir rw_dir_perms; +allow shared_relro shared_relro_file:file create_file_perms; + +allow shared_relro activity_service:service_manager find; +allow shared_relro webviewupdate_service:service_manager find; +allow shared_relro package_service:service_manager find; + +# StrictMode may attempt to find this service, failure is harmless. +dontaudit shared_relro network_management_service:service_manager find; diff --git a/public/shared_relro.te b/public/shared_relro.te index 7413b200d..6dd5bd77f 100644 --- a/public/shared_relro.te +++ b/public/shared_relro.te @@ -1,14 +1,2 @@ # Process which creates/updates shared RELRO files to be used by other apps. type shared_relro, domain; - -# Grant write access to the shared relro files/directory. -allow shared_relro shared_relro_file:dir rw_dir_perms; -allow shared_relro shared_relro_file:file create_file_perms; - -# Needs to contact the "webviewupdate" and "activity" services -allow shared_relro activity_service:service_manager find; -allow shared_relro webviewupdate_service:service_manager find; -allow shared_relro package_service:service_manager find; - -# StrictMode may attempt to find this service, failure is harmless. -dontaudit shared_relro network_management_service:service_manager find;