Merge "Confine mediaserver, but leave it permissive for now."
diff --git a/app.te b/app.te
index 7da4445..8e220ff 100644
--- a/app.te
+++ b/app.te
@@ -202,7 +202,7 @@
neverallow { appdomain -unconfineddomain } { domain -appdomain }:process ptrace;
# Write access to /proc/pid entries for any non-app domain.
-neverallow { appdomain -unconfineddomain } { domain - appdomain }:file write;
+neverallow { appdomain -unconfineddomain } { domain -appdomain }:file write;
# signal access to non-app domains.
# sigchld allowed for parent death notification.
diff --git a/file.te b/file.te
index 8d80e85..24420e9 100644
--- a/file.te
+++ b/file.te
@@ -13,6 +13,8 @@
type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_wake_lock, fs_type, sysfs_type;
+# /sys/devices/system/cpu
+type sysfs_devices_system_cpu, fs_type, sysfs_type;
type inotify, fs_type, mlstrustedobject;
type devpts, fs_type, mlstrustedobject;
type tmpfs, fs_type;
@@ -82,8 +84,6 @@
type bluetooth_efs_file, file_type;
# Downloaded files
type download_file, file_type;
-# /sys/devices/system/cpu
-type sysfs_devices_system_cpu, file_type;
# Socket types
type adbd_socket, file_type;