Move some rules around Move rules / neverallow assertions from public to private policy. This change, by itself, is a no-op, but will make future patches easier to read. The only downside of this change is that it will make git blame less effective. Motivation: When rules are placed into the public directory, they cannot reference a private type. A future change will modify these rules to reference a private type. Test: compiles Bug: 112357170 Change-Id: I56003409b3a23370ddab31ec01d69ff45c80d7e5

commit: 1e5021c450a06eb738209948d1522747d3f327fa [log] [tgz]
author: Nick Kralevich <nnk@google.com> Wed Nov 28 17:50:24 2018 -0800
committer: Nick Kralevich <nnk@google.com> Wed Nov 28 17:55:21 2018 -0800
tree: 3966effe22e92da326f8bd3a1454afc09e29514c
parent: b1dad0967902c26212bae77e83c09a9cf9ab8568 [diff] [blame]
diff --git a/private/app.te b/private/app.te
index 7d9bc89..b2c1be3 100644
--- a/private/app.te
+++ b/private/app.te

@@ -13,3 +13,11 @@
 neverallow appdomain system_server:udp_socket {
         accept append bind create ioctl listen lock name_bind
         relabelfrom relabelto setattr shutdown };
+
+# Transition to a non-app domain.
+# Exception for the shell and su domains, can transition to runas, etc.
+# Exception for crash_dump.
+neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain -crash_dump }:process
+    { transition };
+neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain }:process
+    { dyntransition };
commit	1e5021c450a06eb738209948d1522747d3f327fa	[log] [tgz]
author	Nick Kralevich <nnk@google.com>	Wed Nov 28 17:50:24 2018 -0800
committer	Nick Kralevich <nnk@google.com>	Wed Nov 28 17:55:21 2018 -0800
tree	3966effe22e92da326f8bd3a1454afc09e29514c
parent	b1dad0967902c26212bae77e83c09a9cf9ab8568 [diff] [blame]