Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 63c7b0fa1886e46195f0eee37a0ba622d5a8578e^! / .
commit63c7b0fa1886e46195f0eee37a0ba622d5a8578e[log] [tgz]
authorAndreas Gampe <agampe@google.com>Thu Feb 21 16:01:50 2019 -0800
committerAndreas Gampe <agampe@google.com>Fri Feb 22 05:11:08 2019 -0800
treef67c4e94a54adf12fd381b043152deafbe470c43
parentcac127c8fdae88a4080161959bc864f188d27625 [diff]
Sepolicy: Move dalvik cache neverallow to private

In preparation for additions that should be private-only, move
the neverallows to domain's private part.

Bug: 125474642
Test: m
Change-Id: I7def500221701500956fc0b6948afc58aba5234e

diff --git a/private/domain.te b/private/domain.te
index 9db19f1..8b502f3 100644
--- a/private/domain.te
+++ b/private/domain.te

@@ -204,3 +204,26 @@
   -init
   -vendor_init
 } cgroup_rc_file:file no_w_file_perms;
+
+# Only authorized processes should be writing to files in /data/dalvik-cache
+neverallow {
+  domain
+  -init # TODO: limit init to relabelfrom for files
+  -zygote
+  -installd
+  -postinstall_dexopt
+  -cppreopts
+  -dex2oat
+  -otapreopt_slot
+} dalvikcache_data_file:file no_w_file_perms;
+
+neverallow {
+  domain
+  -init
+  -installd
+  -postinstall_dexopt
+  -cppreopts
+  -dex2oat
+  -zygote
+  -otapreopt_slot
+} dalvikcache_data_file:dir no_w_dir_perms;

diff --git a/public/domain.te b/public/domain.te
index 2621d81..9a66a62 100644
--- a/public/domain.te
+++ b/public/domain.te

@@ -1071,29 +1071,6 @@
   }:file *;
 ')
 
-# Only authorized processes should be writing to files in /data/dalvik-cache
-neverallow {
-  domain
-  -init # TODO: limit init to relabelfrom for files
-  -zygote
-  -installd
-  -postinstall_dexopt
-  -cppreopts
-  -dex2oat
-  -otapreopt_slot
-} dalvikcache_data_file:file no_w_file_perms;
-
-neverallow {
-  domain
-  -init
-  -installd
-  -postinstall_dexopt
-  -cppreopts
-  -dex2oat
-  -zygote
-  -otapreopt_slot
-} dalvikcache_data_file:dir no_w_dir_perms;
-
 # Only system_server should be able to send commands via the zygote socket
 neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto;
 neverallow { domain -system_server } zygote_socket:sock_file write;