app: Allow all apps to read dropbox FDs
DropboxManager may pass FDs to any app with the READ_LOGS permission which is available to all apps as a development permission. Test: atest CtsIncidentHostTestCases Fixes: 111856304 Change-Id: I329e3125dab83de948b860061df9d232e31cb23e
This commit is contained in:
Jeff Vander Stoep
Jeffrey Vander Stoep
parent
275ea12d84
commit
6026a4adb9
5 changed files with 3 additions and 14 deletions
|
|
@ -265,8 +265,3 @@ full_treble_only(`
|
|||
|
||||
# Untrusted apps are not allowed to find mediaextractor update service.
|
||||
neverallow all_untrusted_apps mediaextractor_update_service:service_manager find;
|
||||
|
||||
# Untrusted apps are not allowed to use the signature|privileged|development
|
||||
# android.permission.READ_LOGS permission, so they may not read dropbox files.
|
||||
# Access to the the dropbox directory is covered by a neverallow for domain.
|
||||
neverallow all_untrusted_apps dropbox_data_file:file *;
|
||||
|
|
|
|||
|
|
@ -27,9 +27,6 @@ allow platform_app asec_apk_file:file create_file_perms;
|
|||
allow platform_app media_rw_data_file:dir create_dir_perms;
|
||||
allow platform_app media_rw_data_file:file create_file_perms;
|
||||
|
||||
# Read access to FDs from the DropboxManagerService.
|
||||
allow platform_app dropbox_data_file:file { getattr read };
|
||||
|
||||
# Write to /cache.
|
||||
allow platform_app cache_file:dir create_dir_perms;
|
||||
allow platform_app cache_file:file create_file_perms;
|
||||
|
|
|
|||
|
|
@ -54,9 +54,6 @@ allow priv_app ota_package_file:file create_file_perms;
|
|||
allow priv_app media_rw_data_file:dir create_dir_perms;
|
||||
allow priv_app media_rw_data_file:file create_file_perms;
|
||||
|
||||
# Read access to FDs from the DropboxManagerService.
|
||||
allow priv_app dropbox_data_file:file { getattr read };
|
||||
|
||||
# Used by Finsky / Android "Verify Apps" functionality when
|
||||
# running "adb install foo.apk".
|
||||
allow priv_app shell_data_file:file r_file_perms;
|
||||
|
|
|
|||
|
|
@ -24,9 +24,6 @@ allow system_app misc_user_data_file:file create_file_perms;
|
|||
# Access to vold-mounted storage for measuring free space
|
||||
allow system_app mnt_media_rw_file:dir search;
|
||||
|
||||
# Read access to FDs from the DropboxManagerService.
|
||||
allow system_app dropbox_data_file:file { getattr read };
|
||||
|
||||
# Read wallpaper file.
|
||||
allow system_app wallpaper_file:file r_file_perms;
|
||||
|
||||
|
|
|
|||
|
|
@ -350,6 +350,9 @@ allow appdomain cache_file:dir getattr;
|
|||
# Allow apps to run with asanwrapper.
|
||||
with_asan(`allow appdomain asanwrapper_exec:file rx_file_perms;')
|
||||
|
||||
# Read access to FDs from the DropboxManagerService.
|
||||
allow appdomain dropbox_data_file:file { getattr read };
|
||||
|
||||
###
|
||||
### Neverallow rules
|
||||
###
|
||||
|
|
|
|||
Loading…
Reference in a new issue