Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 7b22940511a29695974a1ffeca144eced07d890e^2..7b22940511a29695974a1ffeca144eced07d890e / .
commit7b22940511a29695974a1ffeca144eced07d890e[log] [tgz]
authorTreehugger Robot <treehugger-gerrit@google.com>Tue Sep 04 22:09:28 2018 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>Tue Sep 04 22:09:28 2018 +0000
tree236076f93643071c7e6e968f0a23c9de12a9ff91
parent6026a4adb94e7365f3c98f32a0599803354121e0 [diff]
parent7cab455f2d0760e64ec92ae7204827158de5ad6d [diff]
Merge "sepolicy: Add mmap for profman"
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index c2ef14c..8c53030 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te

@@ -265,8 +265,3 @@
 
 # Untrusted apps are not allowed to find mediaextractor update service.
 neverallow all_untrusted_apps mediaextractor_update_service:service_manager find;
-
-# Untrusted apps are not allowed to use the signature|privileged|development
-# android.permission.READ_LOGS permission, so they may not read dropbox files.
-# Access to the the dropbox directory is covered by a neverallow for domain.
-neverallow all_untrusted_apps dropbox_data_file:file *;

diff --git a/private/platform_app.te b/private/platform_app.te
index eec503a..1ee65d3 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te

@@ -27,9 +27,6 @@
 allow platform_app media_rw_data_file:dir create_dir_perms;
 allow platform_app media_rw_data_file:file create_file_perms;
 
-# Read access to FDs from the DropboxManagerService.
-allow platform_app dropbox_data_file:file { getattr read };
-
 # Write to /cache.
 allow platform_app cache_file:dir create_dir_perms;
 allow platform_app cache_file:file create_file_perms;

diff --git a/private/priv_app.te b/private/priv_app.te
index f24afc0..101c448 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te

@@ -54,9 +54,6 @@
 allow priv_app media_rw_data_file:dir create_dir_perms;
 allow priv_app media_rw_data_file:file create_file_perms;
 
-# Read access to FDs from the DropboxManagerService.
-allow priv_app dropbox_data_file:file { getattr read };
-
 # Used by Finsky / Android "Verify Apps" functionality when
 # running "adb install foo.apk".
 allow priv_app shell_data_file:file r_file_perms;

diff --git a/private/system_app.te b/private/system_app.te
index 7a7411f..4ed1982 100644
--- a/private/system_app.te
+++ b/private/system_app.te

@@ -24,9 +24,6 @@
 # Access to vold-mounted storage for measuring free space
 allow system_app mnt_media_rw_file:dir search;
 
-# Read access to FDs from the DropboxManagerService.
-allow system_app dropbox_data_file:file { getattr read };
-
 # Read wallpaper file.
 allow system_app wallpaper_file:file r_file_perms;
 

diff --git a/public/app.te b/public/app.te
index 932116e..62a63cd 100644
--- a/public/app.te
+++ b/public/app.te

@@ -350,6 +350,9 @@
 # Allow apps to run with asanwrapper.
 with_asan(`allow appdomain asanwrapper_exec:file rx_file_perms;')
 
+# Read access to FDs from the DropboxManagerService.
+allow appdomain dropbox_data_file:file { getattr read };
+
 ###
 ### Neverallow rules
 ###