Revert "Allow anyone to read aconfig test mission file"
This reverts commit c2e02348c3b545f43b6dfa49ab430c6e6b626b36.
Reason for revert: DroidMonitor: Potential culprit for b/350524644 - verifying through ABTD before revert submission. This is part of the standard investigation process, and does not mean your CL will be reverted.
Change-Id: I97c1efc5d205ec28f80f1fca202ca8748c6d4d05
diff --git a/private/domain.te b/private/domain.te
index 67ff430..61e2ea6 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -570,15 +570,13 @@
-hal_omx_server
} {shell_exec toolbox_exec}:file rx_file_perms;
-# Allow all processes to read aconfig flag storage files. The format is hidden behind
-# code-generated APIs, but since the libraries are executed in the context of the caller,
-# all processes need access to the underlying files.
-is_flag_enabled(RELEASE_READ_FROM_NEW_STORAGE, `
- r_dir_file(domain, aconfig_storage_metadata_file);
- r_dir_file(domain, aconfig_test_mission_files);
-')
+# Allow all to read from flag value boot snapshot storage files and general pb files
+# The boot snapshot of storage files serves flag read traffic for all processes, thus
+# needs to be readable by everybody.
+r_dir_file(domain, aconfig_storage_metadata_file);
r_dir_file({ coredomain appdomain }, system_aconfig_storage_file);
+r_dir_file({ coredomain appdomain }, aconfig_test_mission_files);
# processes needs to access storage file stored at /metadata/aconfig/boot, require search
# permission on /metadata dir
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 20341e4..38ea999 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -33,9 +33,6 @@
allow dumpstate dropbox_data_file:file r_file_perms;
')
-r_dir_file(dumpstate, aconfig_storage_metadata_file);
-r_dir_file(dumpstate, aconfig_test_mission_files);
-
# Allow dumpstate to make binder calls to incidentd
binder_call(dumpstate, incidentd)