Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 792622c383928df03617ef472b15453dde8ace93^2..792622c383928df03617ef472b15453dde8ace93 / .
commit792622c383928df03617ef472b15453dde8ace93[log] [tgz]
authorJeffrey Vander Stoep <jeffv@google.com>Thu Jan 21 23:26:27 2016 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>Thu Jan 21 23:26:27 2016 +0000
tree6c9ecb47bd864326d81705066a23850934ae927e
parent352e63546f4786d5774a67a30a1de5afc224584b [diff]
parentd644f260665f24ba37069861c717ad55b00e9bfc [diff]
Merge "fsck: allow e2fsck to stat swap_block_device"
diff --git a/app.te b/app.te
index 3240392..b03355f 100644
--- a/app.te
+++ b/app.te

@@ -321,9 +321,7 @@
 # This is the default type for anything under /data not otherwise
 # specified in file_contexts.  Define a different type for portions
 # that should be writable by apps.
-# Exception for system_app for Settings.
-neverallow { appdomain -system_app }
-    system_data_file:dir_file_class_set
+neverallow appdomain system_data_file:dir_file_class_set
     { create write setattr relabelfrom relabelto append unlink link rename };
 
 # Write to various other parts of /data.

diff --git a/system_app.te b/system_app.te
index 36c5cfc..8589a9d 100644
--- a/system_app.te
+++ b/system_app.te

@@ -16,16 +16,9 @@
 allow system_app keychain_data_file:dir r_dir_perms;
 allow system_app keychain_data_file:file r_file_perms;
 
-# Read and write to other system-owned /data directories, such as
-# /data/system/cache and /data/misc/user.
-allow system_app system_data_file:dir create_dir_perms;
-allow system_app system_data_file:file create_file_perms;
+# Read and write to /data/misc/user.
 allow system_app misc_user_data_file:dir create_dir_perms;
 allow system_app misc_user_data_file:file create_file_perms;
-# Audit writes to these directories and files so we can identify
-# and possibly move these directories into their own type in the future.
-auditallow system_app system_data_file:dir { create setattr add_name remove_name rmdir rename };
-auditallow system_app system_data_file:file { create setattr append write link unlink rename };
 
 # Access to vold-mounted storage for measuring free space
 allow system_app mnt_media_rw_file:dir search;

diff --git a/vold.te b/vold.te
index e7996e1..8416531 100644
--- a/vold.te
+++ b/vold.te

@@ -168,6 +168,9 @@
 allow vold sysfs_zram:dir r_dir_perms;
 allow vold sysfs_zram_uevent:file rw_file_perms;
 
+# MoveTask.cpp executes cp and rm
+allow vold toolbox_exec:file rx_file_perms;
+
 neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
 neverallow { domain -vold } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
 neverallow { domain -vold -init } vold_data_file:dir *;