Merge "untrusted_app_25: remove access to net.dns properties" am: dc560e0921 am: 4ed2b96cbd

am: 966793daa6 Change-Id: I7f279577a6fa2c7ed3721c2f5da60a2e0c3f83f6
2019-10-16 02:25:30 -07:00 · 2019-10-16 02:25:30 -07:00 · f0777f5787
commit f0777f5787
parent fb7b1e37e0 966793daa6
2 changed files with 2 additions and 7 deletions
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@ -37,9 +37,8 @@ neverallow { all_untrusted_apps -mediaprovider } property_socket:sock_file write
 neverallow { all_untrusted_apps -mediaprovider } init:unix_stream_socket connectto;
 neverallow { all_untrusted_apps -mediaprovider } property_type:property_service set;

-# net.dns properties are not a public API. Temporarily exempt pre-Oreo apps,
-# but otherwise disallow untrusted apps from reading this property.
-neverallow { all_untrusted_apps -untrusted_app_25 } net_dns_prop:file read;
+# net.dns properties are not a public API. Disallow untrusted apps from reading this property.
+neverallow { all_untrusted_apps } net_dns_prop:file read;

 # Shared libraries created by trusted components within an app home
 # directory can be dlopen()ed. To maintain the W^X property, these files
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@ -26,10 +26,6 @@ untrusted_app_domain(untrusted_app_25)
 net_domain(untrusted_app_25)
 bluetooth_domain(untrusted_app_25)

-# b/34115651 - net.dns* properties read
-# This will go away in a future Android release
-get_prop(untrusted_app_25, net_dns_prop)
-
 # b/35917228 - /proc/misc access
 # This will go away in a future Android release
 allow untrusted_app_25 proc_misc:file r_file_perms;