commit b6c262c23856a15dfec0f27c79acc5e6afdc5c92
author Jeffrey Vander Stoep <jeffv@google.com> Thu Dec 07 13:56:15 2023 +0000
committer Jeff Vander Stoep <jeffv@google.com> Thu Dec 07 16:52:28 2023 +0100
tree 72b69f2eb34baef67c93adc23afac00b84f63440
parent 226f837c4d7ec52f4763c180134cabe77c1395ed

Revert "Remove implicit access for isolated_app"

This reverts commit 7ba4801b6e6cd03e0a2ec6832556c7112f1a5c59.

Reason for revert: b/315295188

Change-Id: Ib4a4d68763f68bc1cebe6528ce4b81188f35ba49
Test: build and run on Cuttlefish. Verify that isolated_app denials go away.

private/app.te

diff --git a/private/app.te b/private/app.te
index 09f222b..b5bb474 100644
--- a/private/app.te
+++ b/private/app.te
@@ -137,14 +137,14 @@
 neverallow appdomain tombstone_data_file:file ~{ getattr read };
 
 # Execute the shell or other system executables.
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } shell_exec:file rx_file_perms;
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } toolbox_exec:file rx_file_perms;
-not_full_treble(`allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } vendor_file:file x_file_perms;')
+allow { appdomain -ephemeral_app -sdk_sandbox_all } shell_exec:file rx_file_perms;
+allow { appdomain -ephemeral_app -sdk_sandbox_all } toolbox_exec:file rx_file_perms;
+not_full_treble(`allow { appdomain -ephemeral_app -sdk_sandbox_all } vendor_file:file x_file_perms;')
 
 # Allow apps access to /vendor/app except for privileged
 # apps which cannot be in /vendor.
-r_dir_file({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }, vendor_app_file)
-allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } vendor_app_file:file execute;
+r_dir_file({ appdomain -ephemeral_app -sdk_sandbox_all }, vendor_app_file)
+allow { appdomain -ephemeral_app -sdk_sandbox_all } vendor_app_file:file execute;
 
 # Perform binder IPC to sdk sandbox.
 binder_call(appdomain, sdk_sandbox_all)
@@ -176,7 +176,7 @@
 allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } usbaccessory_device:chr_file { read write getattr };
 
 #logd access
-control_logd({ appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all })
+control_logd({ appdomain -ephemeral_app -sdk_sandbox_all })
 
 # application inherit logd write socket (urge is to deprecate this long term)
 allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } keystore:keystore2_key { delete use get_info rebind update };
@@ -315,16 +315,16 @@
 allow appdomain {vendor_public_framework_file vendor_public_lib_file}:file { execute read open getattr map };
 
 # Read/write wallpaper file (opened by system).
-allow { appdomain -isolated_app_all } wallpaper_file:file { getattr read write map };
+allow appdomain wallpaper_file:file { getattr read write map };
 
 # Read/write cached ringtones (opened by system).
-allow { appdomain -isolated_app_all } ringtone_file:file { getattr read write map };
+allow appdomain ringtone_file:file { getattr read write map };
 
 # Read ShortcutManager icon files (opened by system).
-allow { appdomain -isolated_app_all } shortcut_manager_icons:file { getattr read map };
+allow appdomain shortcut_manager_icons:file { getattr read map };
 
 # Read icon file (opened by system).
-allow { appdomain -isolated_app_all } icon_file:file { getattr read map };
+allow appdomain icon_file:file { getattr read map };
 
 # Old stack dumping scheme : append to a global trace file (/data/anr/traces.txt).
 #