Non app processes shouldn't be able to peek checkin data
Change-Id: I1df0ce47ae9d08f66689f82e21656cbdd70d7f25
Test: Manually built the change and flashed the device.
Bug: 197636740
diff --git a/private/app.te b/private/app.te
index c8f455b..90ea7cd 100644
--- a/private/app.te
+++ b/private/app.te
@@ -503,8 +503,4 @@
-dalvikcache_data_file
-system_data_file # shared libs in apks
-apk_data_file
-}:file no_x_file_perms;
-
-# For now, don't allow apps other than gmscore to access /data/misc_ce/<userid>/checkin
-neverallow { appdomain -gmscore_app } checkin_data_file:dir *;
-neverallow { appdomain -gmscore_app } checkin_data_file:file *;
+}:file no_x_file_perms;
\ No newline at end of file
diff --git a/private/domain.te b/private/domain.te
index 953ddce..00936b8 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -737,3 +737,6 @@
} system_app_data_file:dir_file_class_set { create unlink open };
neverallow { domain -init } mtectrl:process { dyntransition transition };
+
+# For now, don't allow processes other than gmscore to access /data/misc_ce/<userid>/checkin
+neverallow { domain -gmscore_app -init -vold_prepare_subdirs } checkin_data_file:{dir file} *;
\ No newline at end of file