b07c12c39d
Remove references in sepolicy. Leave a few of the types defined since they're public and may be used in device-specific policy. Bug: 211461392 Test: build/boot cuttlefish Change-Id: I615137b92b82b744628ab9b7959ae5ff28001169
24 lines
646 B
Text
24 lines
646 B
Text
# MLS override can't be used to access private app data.
|
|
|
|
# Apps should not normally be mlstrustedsubject, but if they must be
|
|
# they cannot use this to access app private data files; their own app
|
|
# data files must use a different label.
|
|
|
|
neverallow {
|
|
mlstrustedsubject
|
|
-installd
|
|
} { app_data_file privapp_data_file }:file ~{ read write map getattr ioctl lock append };
|
|
|
|
neverallow {
|
|
mlstrustedsubject
|
|
-installd
|
|
} { app_data_file privapp_data_file }:dir ~{ read getattr search };
|
|
|
|
neverallow {
|
|
mlstrustedsubject
|
|
-installd
|
|
-system_server
|
|
-adbd
|
|
-runas
|
|
-zygote
|
|
} { app_data_file privapp_data_file }:dir { read getattr search };
|