Merge "priv_app: Remove rules for system_update_service"
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index eb798e3..6248cab 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -136,8 +136,8 @@
')
}:dir_file_class_set { create unlink };
-# No untrusted component except mediaprovider should be touching /dev/fuse
-neverallow { all_untrusted_apps -mediaprovider } fuse_device:chr_file *;
+# No untrusted component should be touching /dev/fuse
+neverallow all_untrusted_apps fuse_device:chr_file *;
# Do not allow untrusted apps to directly open the tun_device
neverallow all_untrusted_apps tun_device:chr_file open;
diff --git a/private/mediaprovider.te b/private/mediaprovider.te
index 5050e1a..249fee1 100644
--- a/private/mediaprovider.te
+++ b/private/mediaprovider.te
@@ -34,9 +34,6 @@
# MtpServer uses /dev/mtp_usb
allow mediaprovider mtp_device:chr_file rw_file_perms;
-# Fuse daemon
-allow mediaprovider fuse_device:chr_file { read write ioctl getattr };
-
# MtpServer uses /dev/usb-ffs/mtp
allow mediaprovider functionfs:dir search;
allow mediaprovider functionfs:file rw_file_perms;
diff --git a/private/priv_app.te b/private/priv_app.te
index 02b7b82..161b245 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -14,13 +14,6 @@
# Used by: https://play.privileged.com/store/apps/details?id=jackpal.androidterm
create_pty(priv_app)
-# webview crash handling depends on self ptrace (b/27697529, b/20150694, b/19277529#comment7)
-allow priv_app self:process ptrace;
-# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
-userdebug_or_eng(`
- auditallow priv_app self:process ptrace;
-')
-
# Allow loading executable code from writable priv-app home
# directories. This is a W^X violation, however, it needs
# to be supported for now for the following reasons.
diff --git a/private/zygote.te b/private/zygote.te
index e6c1db9..f1ccce6 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -53,6 +53,13 @@
# Bind mount on /data/data and mounted volumes
allow zygote { system_data_file mnt_expand_file }:dir mounton;
+# Relabel /data/user /data/user_de and /data/data
+allow zygote tmpfs:{ dir lnk_file } relabelfrom;
+allow zygote system_data_file:{ dir lnk_file } relabelto;
+
+# Zygote opens /mnt/expand to mount CE DE storage on each vol
+allow zygote mnt_expand_file:dir { open read search relabelto };
+
# Create and bind dirs on /data/data
allow zygote tmpfs:dir { create_dir_perms mounton };
@@ -61,7 +68,7 @@
allow zygote mirror_data_file:dir r_dir_perms;
-# Get and set data directories
+# Get inode of data directories
allow zygote {
system_data_file
radio_data_file
@@ -126,9 +133,6 @@
allow zygote { sdcard_type }:dir { create_dir_perms mounton };
allow zygote { sdcard_type }:file { create_file_perms };
-# Allow zygote to expand app files while preloading libraries
-allow zygote mnt_expand_file:dir getattr;
-
# Handle --invoke-with command when launching Zygote with a wrapper command.
allow zygote zygote_exec:file rx_file_perms;
@@ -201,7 +205,7 @@
exported_bluetooth_prop
}:file create_file_perms;
-# Do not allow zygote to access app data except getting attributes and relabeling to.
+# Zygote should not be able to access app private data.
neverallow zygote {
privapp_data_file
app_data_file