commit c42d134e076908c83d9a599cfa1655eb4323773b
author Alex Klyubin <klyubin@google.com> Mon Jan 09 14:52:59 2017 -0800
committer Alex Klyubin <klyubin@google.com> Mon Jan 09 14:52:59 2017 -0800
tree a386ad2443a53258a88c43e9cd41fef208bd6c20
parent 665b75e638398baf4ecacef9c725977af2634232

Move platform_app policy to private

This leaves only the existence of platform_app domain as public API.
All other rules are implementation details of this domain's policy and
are thus now private.

Test: No change to policy according to sesearch, except for
      disappearance of all allow rules from platform_app_current
      attribute (as expected).
Bug: 31364497

Change-Id: I47bb59fdfc07878c91fd5e207735cd0c07a128da

private/platform_app.te

diff --git a/private/platform_app.te b/private/platform_app.te
index f156cc1..ee1c9d3 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -1 +1,60 @@
+###
+### Apps signed with the platform key.
+###
+
+typeattribute platform_app domain_deprecated;
+
 app_domain(platform_app)
+
+# Access the network.
+net_domain(platform_app)
+# Access bluetooth.
+bluetooth_domain(platform_app)
+# Read from /data/local/tmp or /data/data/com.android.shell.
+allow platform_app shell_data_file:dir search;
+allow platform_app shell_data_file:file { open getattr read };
+allow platform_app icon_file:file { open getattr read };
+# Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp, /data/app-ephemeral/vmdl*.tmp files
+# created by system server.
+allow platform_app { apk_tmp_file apk_private_tmp_file ephemeral_apk_tmp_file}:dir rw_dir_perms;
+allow platform_app { apk_tmp_file apk_private_tmp_file ephemeral_apk_tmp_file}:file rw_file_perms;
+allow platform_app apk_private_data_file:dir search;
+# ASEC
+allow platform_app asec_apk_file:dir create_dir_perms;
+allow platform_app asec_apk_file:file create_file_perms;
+
+# Access to /data/media.
+allow platform_app media_rw_data_file:dir create_dir_perms;
+allow platform_app media_rw_data_file:file create_file_perms;
+
+# Write to /cache.
+allow platform_app cache_file:dir create_dir_perms;
+allow platform_app cache_file:file create_file_perms;
+
+# Direct access to vold-mounted storage under /mnt/media_rw
+# This is a performance optimization that allows platform apps to bypass the FUSE layer
+allow platform_app mnt_media_rw_file:dir r_dir_perms;
+allow platform_app vfat:dir create_dir_perms;
+allow platform_app vfat:file create_file_perms;
+
+allow platform_app audioserver_service:service_manager find;
+allow platform_app cameraserver_service:service_manager find;
+allow platform_app drmserver_service:service_manager find;
+allow platform_app mediaserver_service:service_manager find;
+allow platform_app mediaextractor_service:service_manager find;
+allow platform_app mediacodec_service:service_manager find;
+allow platform_app mediadrmserver_service:service_manager find;
+allow platform_app persistent_data_block_service:service_manager find;
+allow platform_app radio_service:service_manager find;
+allow platform_app surfaceflinger_service:service_manager find;
+allow platform_app app_api_service:service_manager find;
+allow platform_app system_api_service:service_manager find;
+allow platform_app vr_manager_service:service_manager find;
+
+# Access to /data/preloads
+allow platform_app preloads_data_file:file r_file_perms;
+allow platform_app preloads_data_file:dir r_dir_perms;
+
+# Access to ephemeral APKs
+allow platform_app ephemeral_apk_data_file:dir r_dir_perms;
+allow platform_app ephemeral_apk_data_file:file r_file_perms;