Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 7ba4801b6e6cd03e0a2ec6832556c7112f1a5c59^! / . / private / app.te
commit7ba4801b6e6cd03e0a2ec6832556c7112f1a5c59[log] [tgz]
authorThiƩbaud Weksteen <tweek@google.com>Mon Mar 20 12:56:43 2023 +1100
committerThiƩbaud Weksteen <tweek@google.com>Thu Mar 23 12:59:21 2023 +1100
treeac3243391e8b132ddc4d40dd98554db8a4283d5c
parent0099ba37f3ff1af16dd09edd56d6107b2a40099d [diff] [blame]
Remove implicit access for isolated_app

Bug: 265960698
Test: flash, boot and use Chrome; no denials related to isolated_app
Test: crash Chrome using chrome://crash; no new denials from
      isolated_app
Test: atest CtsWebkitTestCases
Change-Id: I0b9e433eb973a5e99741fc88be5e13e9704c9c9e

diff --git a/private/app.te b/private/app.te
index b6b4714..5c3472d 100644
--- a/private/app.te
+++ b/private/app.te

@@ -136,14 +136,14 @@
 neverallow appdomain tombstone_data_file:file ~{ getattr read };
 
 # Execute the shell or other system executables.
-allow { appdomain -ephemeral_app -sdk_sandbox } shell_exec:file rx_file_perms;
-allow { appdomain -ephemeral_app -sdk_sandbox } toolbox_exec:file rx_file_perms;
-not_full_treble(`allow { appdomain -ephemeral_app -sdk_sandbox } vendor_file:file x_file_perms;')
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } shell_exec:file rx_file_perms;
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } toolbox_exec:file rx_file_perms;
+not_full_treble(`allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } vendor_file:file x_file_perms;')
 
 # Allow apps access to /vendor/app except for privileged
 # apps which cannot be in /vendor.
-r_dir_file({ appdomain -ephemeral_app -sdk_sandbox }, vendor_app_file)
-allow { appdomain -ephemeral_app -sdk_sandbox } vendor_app_file:file execute;
+r_dir_file({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox }, vendor_app_file)
+allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } vendor_app_file:file execute;
 
 # Perform binder IPC to sdk sandbox.
 binder_call(appdomain, sdk_sandbox)
@@ -172,7 +172,7 @@
 allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } usbaccessory_device:chr_file { read write getattr };
 
 #logd access
-control_logd({ appdomain -ephemeral_app -sdk_sandbox })
+control_logd({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox })
 
 # application inherit logd write socket (urge is to deprecate this long term)
 allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox } keystore:keystore_key { get_state get insert delete exist list sign verify };
@@ -309,16 +309,16 @@
 allow appdomain {vendor_public_framework_file vendor_public_lib_file}:file { execute read open getattr map };
 
 # Read/write wallpaper file (opened by system).
-allow appdomain wallpaper_file:file { getattr read write map };
+allow { appdomain -isolated_app_all } wallpaper_file:file { getattr read write map };
 
 # Read/write cached ringtones (opened by system).
-allow appdomain ringtone_file:file { getattr read write map };
+allow { appdomain -isolated_app_all } ringtone_file:file { getattr read write map };
 
 # Read ShortcutManager icon files (opened by system).
-allow appdomain shortcut_manager_icons:file { getattr read map };
+allow { appdomain -isolated_app_all } shortcut_manager_icons:file { getattr read map };
 
 # Read icon file (opened by system).
-allow appdomain icon_file:file { getattr read map };
+allow { appdomain -isolated_app_all } icon_file:file { getattr read map };
 
 # Old stack dumping scheme : append to a global trace file (/data/anr/traces.txt).
 #