domain_deprecated: remove cache access am: 790f4c7e20 am: 3ca774762b
am: 664743bddf
Change-Id: I0f802840891ff66eb74aeaed602f791412d07ffb
diff --git a/private/domain_deprecated.te b/private/domain_deprecated.te
index 82534fe..e933784 100644
--- a/private/domain_deprecated.te
+++ b/private/domain_deprecated.te
@@ -109,37 +109,6 @@
} apk_data_file:lnk_file r_file_perms;
')
-# Read already opened /cache files.
-allow domain_deprecated cache_file:dir r_dir_perms;
-allow domain_deprecated cache_file:file { getattr read };
-allow domain_deprecated cache_file:lnk_file r_file_perms;
-userdebug_or_eng(`
-auditallow {
- domain_deprecated
- -recovery
- -system_server
- -vold
-} cache_file:dir { open read search ioctl lock };
-auditallow {
- domain_deprecated
- -appdomain
- -recovery
- -system_server
- -vold
-} cache_file:dir getattr;
-auditallow {
- domain_deprecated
- -recovery
- -system_server
- -vold
-} cache_file:file { getattr read };
-auditallow {
- domain_deprecated
- -system_server
- -vold
-} cache_file:lnk_file r_file_perms;
-')
-
# Read access to pseudo filesystems.
r_dir_file(domain_deprecated, proc)
r_dir_file(domain_deprecated, sysfs)
diff --git a/public/uncrypt.te b/public/uncrypt.te
index 7ae7d39..d10eb39 100644
--- a/public/uncrypt.te
+++ b/public/uncrypt.te
@@ -14,6 +14,7 @@
# Read /cache/recovery/command
# Read /cache/recovery/uncrypt_file
+allow uncrypt cache_file:dir search;
allow uncrypt cache_recovery_file:dir rw_dir_perms;
allow uncrypt cache_recovery_file:file create_file_perms;
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index 8e454cc..fb0284f 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -24,6 +24,8 @@
allow update_engine_common postinstall_file:lnk_file r_file_perms;
allow update_engine_common postinstall_file:dir r_dir_perms;
+# install update.zip from cache
+r_dir_file(update_engine_common, cache_file)
# A postinstall program is typically a shell script (with a #!), so we allow
# to execute those.