Remove implicit access for isolated_app
Bug: 265960698
Test: flash, boot and use Chrome; no denials related to isolated_app
Test: crash Chrome using chrome://crash; no new denials from
isolated_app
Test: atest CtsWebkitTestCases
Change-Id: I0b9e433eb973a5e99741fc88be5e13e9704c9c9e
This commit is contained in:
Thiébaud Weksteen
parent
0099ba37f3
commit
7ba4801b6e
1 changed files with 10 additions and 10 deletions
|
|
@ -136,14 +136,14 @@ allow appdomain tombstone_data_file:file { getattr read };
|
|||
neverallow appdomain tombstone_data_file:file ~{ getattr read };
|
||||
|
||||
# Execute the shell or other system executables.
|
||||
allow { appdomain -ephemeral_app -sdk_sandbox } shell_exec:file rx_file_perms;
|
||||
allow { appdomain -ephemeral_app -sdk_sandbox } toolbox_exec:file rx_file_perms;
|
||||
not_full_treble(`allow { appdomain -ephemeral_app -sdk_sandbox } vendor_file:file x_file_perms;')
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } shell_exec:file rx_file_perms;
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } toolbox_exec:file rx_file_perms;
|
||||
not_full_treble(`allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } vendor_file:file x_file_perms;')
|
||||
|
||||
# Allow apps access to /vendor/app except for privileged
|
||||
# apps which cannot be in /vendor.
|
||||
r_dir_file({ appdomain -ephemeral_app -sdk_sandbox }, vendor_app_file)
|
||||
allow { appdomain -ephemeral_app -sdk_sandbox } vendor_app_file:file execute;
|
||||
r_dir_file({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, vendor_app_file)
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } vendor_app_file:file execute;
|
||||
|
||||
# Perform binder IPC to sdk sandbox.
|
||||
binder_call(appdomain, sdk_sandbox)
|
||||
|
|
@ -172,7 +172,7 @@ allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } usb_device:chr
|
|||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } usbaccessory_device:chr_file { read write getattr };
|
||||
|
||||
#logd access
|
||||
control_logd({ appdomain -ephemeral_app -sdk_sandbox })
|
||||
control_logd({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox })
|
||||
|
||||
# application inherit logd write socket (urge is to deprecate this long term)
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } keystore:keystore_key { get_state get insert delete exist list sign verify };
|
||||
|
|
@ -309,16 +309,16 @@ allow appdomain {vendor_public_framework_file vendor_public_lib_file}:dir r_dir_
|
|||
allow appdomain {vendor_public_framework_file vendor_public_lib_file}:file { execute read open getattr map };
|
||||
|
||||
# Read/write wallpaper file (opened by system).
|
||||
allow appdomain wallpaper_file:file { getattr read write map };
|
||||
allow { appdomain -isolated_app_all } wallpaper_file:file { getattr read write map };
|
||||
|
||||
# Read/write cached ringtones (opened by system).
|
||||
allow appdomain ringtone_file:file { getattr read write map };
|
||||
allow { appdomain -isolated_app_all } ringtone_file:file { getattr read write map };
|
||||
|
||||
# Read ShortcutManager icon files (opened by system).
|
||||
allow appdomain shortcut_manager_icons:file { getattr read map };
|
||||
allow { appdomain -isolated_app_all } shortcut_manager_icons:file { getattr read map };
|
||||
|
||||
# Read icon file (opened by system).
|
||||
allow appdomain icon_file:file { getattr read map };
|
||||
allow { appdomain -isolated_app_all } icon_file:file { getattr read map };
|
||||
|
||||
# Old stack dumping scheme : append to a global trace file (/data/anr/traces.txt).
|
||||
#
|
||||
|
|
|
|||
Loading…
Reference in a new issue