Revert "Prevent isolated_app from searching system_data_file."
This reverts commit 8dea7318056e4af3cf308aa9263de5e920d29f18.
Reason for revert: b/162048565: broke access to /data/misc/shared_relro
Change-Id: Ia0f7b6bd575f1d1c95f11a356a5463b72dde9b10
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 33b5219..4c6c5aa 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -74,9 +74,6 @@
# Isolated apps should not directly open app data files themselves.
neverallow isolated_app { app_data_file privapp_data_file }:file open;
-# Isolated aps should not be directly accessing system directories
-neverallow isolated_app system_data_file:dir search;
-
# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
# TODO: are there situations where isolated_apps write to this file?
# TODO: should we tighten these restrictions further?
diff --git a/public/domain.te b/public/domain.te
index b0cf207..3adfcb5 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -229,12 +229,10 @@
allow domain system_data_file:dir getattr;
')
allow { coredomain appdomain } system_data_file:dir getattr;
-# /data has the label system_data_root_file. Many components need search
-# permission on system_data_root_file for path traversal.
+# /data has the label system_data_root_file. Vendor components need the search
+# permission on system_data_root_file for path traversal to /data/vendor.
allow domain system_data_root_file:dir { search getattr } ;
-# Isolated apps have no need to traverse system_data_file dirs
-allow { domain -isolated_app } system_data_file:dir search;
-# Vendor components need access to /dara/vendor
+allow domain system_data_file:dir search;
# TODO restrict this to non-coredomain
allow domain vendor_data_file:dir { getattr search };