Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 5b00f223495ccb87cc8069d819bee6be9b3b99d6^! / .
commit5b00f223495ccb87cc8069d819bee6be9b3b99d6[log] [tgz]
authorStephen Smalley <sds@tycho.nsa.gov>Wed Sep 11 11:25:32 2013 -0400
committerStephen Smalley <sds@tycho.nsa.gov>Fri Sep 13 12:48:10 2013 -0400
treebee73069a631a72e54465dce7141db260c36bfd2
parenta24a991dd59fe03cdc681aadcb6bbca1ffac9b7b [diff]
Remove duplicated rules between appdomain and isolated_app.

r_dir_file(appdomain, isolated_app) was in both app.te and isolated_app.te;
delete it from isolated_app.te.
binder_call(appdomain, isolated_app) is a subset of binder_call(appdomain, appdomain); delete it.

Change-Id: I3fd90ad9c8862a0e4dad957425cbfbc9fa97c63f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

diff --git a/app.te b/app.te
index fd16764..65494ec 100644
--- a/app.te
+++ b/app.te

@@ -66,7 +66,6 @@
 
 # Appdomain interaction with isolated apps
 r_dir_file(appdomain, isolated_app)
-binder_call(appdomain, isolated_app)
 
 # Already connected, unnamed sockets being passed over some other IPC
 # hence no sock_file or connectto permission. This appears to be how

diff --git a/isolated_app.te b/isolated_app.te
index 1b33484..3b99e37 100644
--- a/isolated_app.te
+++ b/isolated_app.te

@@ -13,9 +13,6 @@
 permissive isolated_app;
 app_domain(isolated_app)
 
-# Appdomain interaction with isolated apps
-r_dir_file(appdomain, isolated_app)
-
 # Already connected, unnamed sockets being passed over some other IPC
 # hence no sock_file or connectto permission. This appears to be how
 # Chrome works, may need to be updated as more apps using isolated services