tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Remove direct qtaguid access from platform/system apps

Browse source 
System components should use the public tagSocket() API, not direct
file access to /proc/net/xt_qtaguid/* and /dev/xt_qtaguid.

Test: build/boot taimen-userdebug. Use youtube, browse chrome,
    navigate maps on both cellular and wifi.
Bug: 68774956

Change-Id: Id895395de100d8f9a09886aceb0d6061fef832ef
This commit is contained in:
Jeff Vander Stoep 2018-04-04 13:21:37 -07:00 committed by Jeffrey Vander Stoep
parent 9d28625fc4
commit f3220aa6b9
1 changed files with 0 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
public/app.te
View file

@ -181,8 +181,6 @@ allow {
untrusted_app_27
ephemeral_app
priv_app
system_app
platform_app
} proc_qtaguid_ctrl:file rw_file_perms;
# read /proc/net/xt_qtguid/*stat* to per-app network data usage.
# Exclude isolated app which may not use network sockets.
@ -191,8 +189,6 @@ r_dir_file({
untrusted_app_27
ephemeral_app
priv_app
system_app
platform_app
}, proc_qtaguid_stat)
# Everybody can read the xt_qtaguid resource tracking misc dev.
# So allow all apps to read from /dev/xt_qtaguid.
@ -201,8 +197,6 @@ allow {
untrusted_app_27
ephemeral_app
priv_app
system_app
platform_app
} qtaguid_device:chr_file r_file_perms;
# Grant GPU access to all processes started by Zygote.