Merge changes Icd71c967,I3fd90ad9
* changes: Do not permit appdomain to create/write to download_file. Remove duplicated rules between appdomain and isolated_app.
This commit is contained in:
Nick Kralevich
Gerrit Code Review
commit
d1f448d4a5
2 changed files with 1 additions and 5 deletions
3
app.te
3
app.te
|
|
@ -66,7 +66,6 @@ binder_call(appdomain, appdomain)
|
|||
|
||||
# Appdomain interaction with isolated apps
|
||||
r_dir_file(appdomain, isolated_app)
|
||||
binder_call(appdomain, isolated_app)
|
||||
|
||||
# Already connected, unnamed sockets being passed over some other IPC
|
||||
# hence no sock_file or connectto permission. This appears to be how
|
||||
|
|
@ -82,8 +81,8 @@ allow appdomain cache_backup_file:file { read write getattr };
|
|||
allow appdomain system_data_file:lnk_file getattr;
|
||||
|
||||
# Allow all applications to read downloaded files
|
||||
allow appdomain download_file:dir search;
|
||||
allow appdomain download_file:file r_file_perms;
|
||||
file_type_auto_trans(appdomain, download_file, download_file)
|
||||
|
||||
# Allow applications to communicate with netd via /dev/socket/dnsproxyd
|
||||
# to do DNS resolution
|
||||
|
|
|
|||
|
|
@ -13,9 +13,6 @@ type isolated_app, domain;
|
|||
permissive isolated_app;
|
||||
app_domain(isolated_app)
|
||||
|
||||
# Appdomain interaction with isolated apps
|
||||
r_dir_file(appdomain, isolated_app)
|
||||
|
||||
# Already connected, unnamed sockets being passed over some other IPC
|
||||
# hence no sock_file or connectto permission. This appears to be how
|
||||
# Chrome works, may need to be updated as more apps using isolated services
|
||||
|
|
|
|||
Loading…
Reference in a new issue