Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 867030517724036b64fcaf39deaba1b27f3ca77e^! / .
commit867030517724036b64fcaf39deaba1b27f3ca77e[log] [tgz]
authorNick Kralevich <nnk@google.com>Tue Jun 10 18:42:22 2014 -0700
committerNick Kralevich <nnk@google.com>Thu Jun 12 14:56:05 2014 -0700
tree10b6090f791115b4013109097570ed7b16bb0655
parentb0ee91a418a899dbd39678711ea65ed60418154e [diff]
Remove world-read access to /data/dalvik-cache/profiles

Remove /data/dalvik-cache/profiles from domain. Profiling information
leaks data about how people interact with apps, so we don't want
the data to be available in all SELinux domains.

Add read/write capabilities back to app domains, since apps need to
read/write profiling data.

Remove restorecon specific rules. The directory is now created by
init, not installd, so installd doesn't need to set the label.

Change-Id: Ic1b44009faa30d704855e97631006c4b990a4ad3

diff --git a/app.te b/app.te
index 44cd266..73febbc 100644
--- a/app.te
+++ b/app.te

@@ -131,7 +131,8 @@
 allow appdomain dalvikcache_data_file:file execute;
 
 # /data/dalvik-cache/profiles
-allow appdomain dalvikcache_profiles_data_file:file write;
+allow appdomain dalvikcache_profiles_data_file:dir { search getattr };
+allow appdomain dalvikcache_profiles_data_file:file rw_file_perms;
 
 # Allow any app to read shared RELRO files.
 allow appdomain shared_relro_file:dir search;

diff --git a/domain.te b/domain.te
index c5db6bb..b161467 100644
--- a/domain.te
+++ b/domain.te

@@ -101,8 +101,6 @@
 # Read /data/dalvik-cache.
 allow domain dalvikcache_data_file:dir { search getattr };
 allow domain dalvikcache_data_file:file r_file_perms;
-allow domain dalvikcache_profiles_data_file:dir { search getattr };
-allow domain dalvikcache_profiles_data_file:file r_file_perms;
 
 # Read already opened /cache files.
 allow domain cache_file:dir r_dir_perms;

diff --git a/installd.te b/installd.te
index 586f426..eed0343 100644
--- a/installd.te
+++ b/installd.te

@@ -46,8 +46,6 @@
 allow installd dalvikcache_data_file:file create_file_perms;
 
 # Create /data/dalvik-cache/profiles.
-allow installd dalvikcache_data_file:dir relabelfrom;
-allow installd dalvikcache_profiles_data_file:dir relabelto;
 allow installd dalvikcache_profiles_data_file:dir rw_dir_perms;
 allow installd dalvikcache_profiles_data_file:file create_file_perms;
 

diff --git a/system_server.te b/system_server.te
index 11a1ebe..fc0da2b 100644
--- a/system_server.te
+++ b/system_server.te

@@ -195,6 +195,10 @@
 allow system_server dalvikcache_data_file:dir create_dir_perms;
 allow system_server dalvikcache_data_file:file create_file_perms;
 
+# Read from /data/dalvik-cache/profiles
+allow system_server dalvikcache_profiles_data_file:dir w_dir_perms;
+allow system_server dalvikcache_profiles_data_file:file create_file_perms;
+
 # Manage /data/misc/adb.
 allow system_server adb_keys_file:dir create_dir_perms;
 allow system_server adb_keys_file:file create_file_perms;