Don't allow dexoptanalyzer to open app_data_files Test: manual(installd flow without sepolicy denials) Bug: 67111829 Change-Id: I7ac1a86e731ec5900eec83608b4765a6818f2fd0

commit: b8a424994fec00a49b9ba6c455ac74fce3d40636 [log] [tgz]
author: Shubham Ajmera <shubhamajmera@google.com> Tue Oct 24 17:17:57 2017 -0700
committer: Shubham Ajmera <shubhamajmera@google.com> Thu Nov 02 10:45:09 2017 -0700
tree: 166233c9c7292281bcf767cfd6f4b60a1ae35771
parent: bf4786cf0e62c39f35194a93320564802ebb9819 [diff]
diff --git a/private/dexoptanalyzer.te b/private/dexoptanalyzer.te
index 1c23f57..dfc81b8 100644
--- a/private/dexoptanalyzer.te
+++ b/private/dexoptanalyzer.te

@@ -20,7 +20,7 @@
 # Allow reading secondary dex files that were reported by the app to the
 # package manager.
 allow dexoptanalyzer app_data_file:dir { getattr search };
-allow dexoptanalyzer app_data_file:file r_file_perms;
+allow dexoptanalyzer app_data_file:file { getattr read };
 # dexoptanalyzer calls access(2) with W_OK flag on app data. We can use the
 # "dontaudit...audit_access" policy line to suppress the audit access without
 # suppressing denial on actual access.
commit	b8a424994fec00a49b9ba6c455ac74fce3d40636	[log] [tgz]
author	Shubham Ajmera <shubhamajmera@google.com>	Tue Oct 24 17:17:57 2017 -0700
committer	Shubham Ajmera <shubhamajmera@google.com>	Thu Nov 02 10:45:09 2017 -0700
tree	166233c9c7292281bcf767cfd6f4b60a1ae35771
parent	bf4786cf0e62c39f35194a93320564802ebb9819 [diff]