Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 4c40d7344ce20872a4cabf2117b90f31d29d1ad2^! / . / private / ephemeral_app.te
commit4c40d7344ce20872a4cabf2117b90f31d29d1ad2[log] [tgz]
authorChad Brubaker <cbrubaker@google.com>Wed Jan 25 14:55:56 2017 -0800
committerChad Brubaker <cbrubaker@google.com>Mon Feb 06 10:16:50 2017 -0800
tree61f28f515b54bf7274eed7a322abcf986335b99b
parenta38067c770addb7f1d405113534ec02707b8816c [diff] [blame]
Merge ephemeral data and apk files into app

The rules for the two types were the same and /data/app-ephemeral is
being removed. Remove these types.

Test: Builds
Change-Id: I520c026395551ad1362dd2ced53c601d9e6f9b28

diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 3e58ccf..b4a2181 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te

@@ -14,14 +14,6 @@
 net_domain(ephemeral_app)
 app_domain(ephemeral_app)
 
-# App sandbox file accesses.
-allow ephemeral_app ephemeral_data_file:dir create_dir_perms;
-allow ephemeral_app ephemeral_data_file:{ file sock_file fifo_file } create_file_perms;
-
-# Allow apps to read/execute installed binaries
-allow ephemeral_app ephemeral_apk_data_file:dir r_dir_perms;
-allow ephemeral_app ephemeral_apk_data_file:file { r_file_perms execute };
-
 # Allow ephemeral apps to read/write files in visible storage if provided fds
 allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append};
 
@@ -36,7 +28,7 @@
 ###
 
 # Executable content should never be loaded from an ephemeral app home directory.
-neverallow ephemeral_app ephemeral_data_file:file { execute execute_no_trans };
+neverallow ephemeral_app app_data_file:file { execute execute_no_trans };
 
 # Receive or send uevent messages.
 neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;