Merge "Block SDK 28 app from using proc/net/xt_qtaguid"
diff --git a/public/app.te b/public/app.te
index 3c29946..e6bf888 100644
--- a/public/app.te
+++ b/public/app.te
@@ -170,14 +170,38 @@
')
# Write to /proc/net/xt_qtaguid/ctrl file.
-allow appdomain qtaguid_proc:file rw_file_perms;
+allow {
+ untrusted_app_25
+ untrusted_app_27
+ ephemeral_app
+ priv_app
+ system_app
+ platform_app
+ shell
+} qtaguid_proc:file rw_file_perms;
r_dir_file({ appdomain -ephemeral_app -isolated_app }, proc_net)
# read /proc/net/xt_qtguid/*stat* to per-app network data usage.
# Exclude isolated app which may not use network sockets.
-r_dir_file({ appdomain -isolated_app }, proc_qtaguid_stat)
+r_dir_file({
+ untrusted_app_25
+ untrusted_app_27
+ ephemeral_app
+ priv_app
+ system_app
+ platform_app
+ shell
+}, proc_qtaguid_stat)
# Everybody can read the xt_qtaguid resource tracking misc dev.
# So allow all apps to read from /dev/xt_qtaguid.
-allow { appdomain -isolated_app } qtaguid_device:chr_file r_file_perms;
+allow {
+ untrusted_app_25
+ untrusted_app_27
+ ephemeral_app
+ priv_app
+ system_app
+ platform_app
+ shell
+} qtaguid_device:chr_file r_file_perms;
# Grant GPU access to all processes started by Zygote.
# They need that to render the standard UI.