Merge "zygote.te: clean up and tighten app data isolation rules"

commit: a77c2963e9c4bc1d4449e6660f2f9e13e3825c4d [log] [tgz]
author: Eric Biggers <ebiggers@google.com> Thu Apr 28 17:51:53 2022 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Thu Apr 28 17:51:53 2022 +0000
tree: 405eb5f6b8ee3e4ad1773f7b689b9c0b19f860c3
parent: 4fe6bd16f38851398ad56c48c242ab48ba96ccba [diff]
parent: 9f07ea544267a35214fd3a88b67515da35c4da7f [diff]
diff --git a/private/apexd.te b/private/apexd.te
index 040651d..0cafd3c 100644
--- a/private/apexd.te
+++ b/private/apexd.te

@@ -86,7 +86,6 @@
 allow apexd apex_info_file:file relabelto;
 # apexd needs to update /apex/apex-info-list.xml after non-staged APEX update.
 allow apexd apex_info_file:file rw_file_perms;
-allow apexd apex_info_file:file mounton;
 
 # allow apexd to unlink apex files in /data/apex/active
 # note that apexd won't be able to unlink files in /data/app-staging/session_XXXX,

diff --git a/private/sdk_sandbox.te b/private/sdk_sandbox.te
index 74ede2a..46e7be8 100644
--- a/private/sdk_sandbox.te
+++ b/private/sdk_sandbox.te

@@ -110,7 +110,7 @@
 ### neverallow rules
 ###
 
-neverallow sdk_sandbox { app_data_file privapp_data_file }:file { execute execute_no_trans };
+neverallow sdk_sandbox { app_data_file privapp_data_file sdk_sandbox_data_file }:file { execute execute_no_trans };
 
 # Receive or send uevent messages.
 neverallow sdk_sandbox domain:netlink_kobject_uevent_socket *;
commit	a77c2963e9c4bc1d4449e6660f2f9e13e3825c4d	[log] [tgz]
author	Eric Biggers <ebiggers@google.com>	Thu Apr 28 17:51:53 2022 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Thu Apr 28 17:51:53 2022 +0000
tree	405eb5f6b8ee3e4ad1773f7b689b9c0b19f860c3
parent	4fe6bd16f38851398ad56c48c242ab48ba96ccba [diff]
parent	9f07ea544267a35214fd3a88b67515da35c4da7f [diff]