commit b238fe666212ce86fe3fe1521e9692a361a53047
author Fyodor Kupolov <fkupolov@google.com> Tue Mar 14 11:42:03 2017 -0700
committer Fyodor Kupolov <fkupolov@google.com> Wed Mar 15 00:49:37 2017 +0000
tree 01eff8e974e399a8ab9812f383bf98bc4b4fbfd7
parent 41518bec2508c85eb8797980321d3912b4598261

Split preloads into media_file and data_file

Untrusted apps should only access /data/preloads/media and demo directory.

Bug: 36197686
Test: Verified retail mode.
      Checked non-privileged APK cannot access /data/preloads
Change-Id: I8e9c21ff6aba799aa31bf06893cdf60dafc04446

private/untrusted_app_all.te

diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 6534412..993b3d0 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -88,6 +88,7 @@
 allow untrusted_app_all sysfs_hwrandom:dir search;
 allow untrusted_app_all sysfs_hwrandom:file r_file_perms;
 
-# Allow apps to view preloaded content
-allow untrusted_app_all preloads_data_file:dir r_dir_perms;
-allow untrusted_app_all preloads_data_file:file r_file_perms;
+# Allow apps to view preloaded media content
+allow untrusted_app_all preloads_media_file:dir r_dir_perms;
+allow untrusted_app_all preloads_media_file:file r_file_perms;
+allow untrusted_app_all preloads_data_file:dir search;