Revert "Remove implicit access for isolated_app"
This reverts commit 7ba4801b6e.
Reason for revert: b/315295188
Change-Id: Ib4a4d68763f68bc1cebe6528ce4b81188f35ba49
Test: build and run on Cuttlefish. Verify that isolated_app denials go away.
This commit is contained in:
Jeffrey Vander Stoep
Jeff Vander Stoep
parent
226f837c4d
commit
b6c262c238
1 changed files with 10 additions and 10 deletions
|
|
@ -137,14 +137,14 @@ allow appdomain tombstone_data_file:file { getattr read };
|
|||
neverallow appdomain tombstone_data_file:file ~{ getattr read };
|
||||
|
||||
# Execute the shell or other system executables.
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } shell_exec:file rx_file_perms;
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } toolbox_exec:file rx_file_perms;
|
||||
not_full_treble(`allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } vendor_file:file x_file_perms;')
|
||||
allow { appdomain -ephemeral_app -sdk_sandbox_all } shell_exec:file rx_file_perms;
|
||||
allow { appdomain -ephemeral_app -sdk_sandbox_all } toolbox_exec:file rx_file_perms;
|
||||
not_full_treble(`allow { appdomain -ephemeral_app -sdk_sandbox_all } vendor_file:file x_file_perms;')
|
||||
|
||||
# Allow apps access to /vendor/app except for privileged
|
||||
# apps which cannot be in /vendor.
|
||||
r_dir_file({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, vendor_app_file)
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } vendor_app_file:file execute;
|
||||
r_dir_file({ appdomain -ephemeral_app -sdk_sandbox_all }, vendor_app_file)
|
||||
allow { appdomain -ephemeral_app -sdk_sandbox_all } vendor_app_file:file execute;
|
||||
|
||||
# Perform binder IPC to sdk sandbox.
|
||||
binder_call(appdomain, sdk_sandbox_all)
|
||||
|
|
@ -176,7 +176,7 @@ allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } usb_device
|
|||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } usbaccessory_device:chr_file { read write getattr };
|
||||
|
||||
#logd access
|
||||
control_logd({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all })
|
||||
control_logd({ appdomain -ephemeral_app -sdk_sandbox_all })
|
||||
|
||||
# application inherit logd write socket (urge is to deprecate this long term)
|
||||
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:keystore2_key { delete use get_info rebind update };
|
||||
|
|
@ -315,16 +315,16 @@ allow appdomain {vendor_public_framework_file vendor_public_lib_file}:dir r_dir_
|
|||
allow appdomain {vendor_public_framework_file vendor_public_lib_file}:file { execute read open getattr map };
|
||||
|
||||
# Read/write wallpaper file (opened by system).
|
||||
allow { appdomain -isolated_app_all } wallpaper_file:file { getattr read write map };
|
||||
allow appdomain wallpaper_file:file { getattr read write map };
|
||||
|
||||
# Read/write cached ringtones (opened by system).
|
||||
allow { appdomain -isolated_app_all } ringtone_file:file { getattr read write map };
|
||||
allow appdomain ringtone_file:file { getattr read write map };
|
||||
|
||||
# Read ShortcutManager icon files (opened by system).
|
||||
allow { appdomain -isolated_app_all } shortcut_manager_icons:file { getattr read map };
|
||||
allow appdomain shortcut_manager_icons:file { getattr read map };
|
||||
|
||||
# Read icon file (opened by system).
|
||||
allow { appdomain -isolated_app_all } icon_file:file { getattr read map };
|
||||
allow appdomain icon_file:file { getattr read map };
|
||||
|
||||
# Old stack dumping scheme : append to a global trace file (/data/anr/traces.txt).
|
||||
#
|
||||
|
|
|
|||
Loading…
Reference in a new issue