364fd19782
Addresses the following auditallow spam:
avc: granted { read open } for comm="profman"
path="/system/lib/libart.so" dev="dm-0" ino=1368 scontext=u:r:profman:s0
tcontext=u:object_r:libart_file:s0 tclass=file
avc: granted { read open } for comm="debuggerd64"
path="/system/lib64/libart.so" dev="dm-0" ino=1897
scontext=u:r:debuggerd:s0 tcontext=u:object_r:libart_file:s0 tclass=file
avc: granted { getattr } for comm="debuggerd64"
path="/system/lib64/libart.so" dev="dm-0" ino=1837
scontext=u:r:debuggerd:s0 tcontext=u:object_r:libart_file:s0 tclass=file
Test: Policy compiles. Not a tightening of rules.
Change-Id: I501b0a6a343c61b3ca6283647a18a9a15deddf2a
23 lines
659 B
Text
23 lines
659 B
Text
# profman
|
|
type profman, domain;
|
|
type profman_exec, exec_type, file_type;
|
|
|
|
allow profman libart_file:file r_file_perms;
|
|
|
|
allow profman user_profile_data_file:file { getattr read write lock };
|
|
|
|
# Dumping profile info opens the application APK file for pretty printing.
|
|
allow profman asec_apk_file:file { read };
|
|
allow profman apk_data_file:file { read };
|
|
allow profman oemfs:file { read };
|
|
# Reading an APK opens a ZipArchive, which unpack to tmpfs.
|
|
allow profman tmpfs:file { read };
|
|
allow profman profman_dump_data_file:file { write };
|
|
|
|
allow profman installd:fd use;
|
|
|
|
###
|
|
### neverallow rules
|
|
###
|
|
|
|
neverallow profman app_data_file:notdevfile_class_set open;
|