Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / c4cf98605de285843b3cfdb9afce5ae43b3ae16d^! / .
commitc4cf98605de285843b3cfdb9afce5ae43b3ae16d[log] [tgz]
authorNick Kralevich <nnk@google.com>Tue Oct 30 03:30:22 2018 +0000
committerNick Kralevich <nnk@google.com>Tue Oct 30 03:30:55 2018 +0000
tree09ad674cf3384d23ca87e988852ccd56148bb9fb
parent581e6c471cefa7af86d6391a1431dc225e0afcb1 [diff]
Revert "SELinux changes for AppFuse"

This reverts commit 67ed4328eb4835f4404151ee4bbb93d0f4500354.

Reason for revert: Broken CTS test. See b/118642091

Bug: 118642091
Bug: 110379912
Change-Id: I5afd16bf23149c74f2740720cdd248a255ff1497

diff --git a/private/system_server.te b/private/system_server.te
index 8a0fb8e..42a89d4 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -740,7 +740,8 @@
 # For AppFuse.
 allow system_server vold:fd use;
 allow system_server fuse_device:chr_file { read write ioctl getattr };
-allow system_server app_fuse_file:file { read write getattr };
+allow system_server app_fuse_file:dir rw_dir_perms;
+allow system_server app_fuse_file:file { read write open getattr append };
 
 # For configuring sdcardfs
 allow system_server configfs:dir { create_dir_perms };

diff --git a/public/app.te b/public/app.te
index 63fc388..7f0d554 100644
--- a/public/app.te
+++ b/public/app.te

@@ -55,9 +55,6 @@
 allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
 allow appdomain system_server:tcp_socket { read write getattr getopt shutdown };
 
-# For AppFuse.
-allow appdomain vold:fd use;
-
 # Communication with other apps via fifos
 allow appdomain appdomain:fifo_file rw_file_perms;
 

diff --git a/public/vold.te b/public/vold.te
index 236604f..9091b69 100644
--- a/public/vold.te
+++ b/public/vold.te

@@ -229,8 +229,6 @@
 allow vold fuse:filesystem { relabelfrom };
 allow vold app_fusefs:filesystem { relabelfrom relabelto };
 allow vold app_fusefs:filesystem { mount unmount };
-allow vold app_fuse_file:dir rw_dir_perms;
-allow vold app_fuse_file:file { read write open getattr append };
 
 # MoveTask.cpp executes cp and rm
 allow vold toolbox_exec:file rx_file_perms;