Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / d1f448d4a53f87ae416aeb84ecf21bb703cc4c80^1..d1f448d4a53f87ae416aeb84ecf21bb703cc4c80 / .
commitd1f448d4a53f87ae416aeb84ecf21bb703cc4c80[log] [tgz]
authorNick Kralevich <nnk@google.com>Fri Sep 13 19:59:46 2013 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>Fri Sep 13 19:59:47 2013 +0000
tree571c59a36a99d664a9bc539bac12b33a3bab658d
parent29326eda65b121fe0edbbae43bc463af17aaed9b [diff]
parent17454cf805748a8792608a44bbfddb00fb918841 [diff]
Merge changes Icd71c967,I3fd90ad9

* changes:
  Do not permit appdomain to create/write to download_file.
  Remove duplicated rules between appdomain and isolated_app.

diff --git a/app.te b/app.te
index fd16764..27079cd 100644
--- a/app.te
+++ b/app.te

@@ -66,7 +66,6 @@
 
 # Appdomain interaction with isolated apps
 r_dir_file(appdomain, isolated_app)
-binder_call(appdomain, isolated_app)
 
 # Already connected, unnamed sockets being passed over some other IPC
 # hence no sock_file or connectto permission. This appears to be how
@@ -82,8 +81,8 @@
 allow appdomain system_data_file:lnk_file getattr;
 
 # Allow all applications to read downloaded files
+allow appdomain download_file:dir search;
 allow appdomain download_file:file r_file_perms;
-file_type_auto_trans(appdomain, download_file, download_file)
 
 # Allow applications to communicate with netd via /dev/socket/dnsproxyd
 # to do DNS resolution

diff --git a/isolated_app.te b/isolated_app.te
index 1b33484..3b99e37 100644
--- a/isolated_app.te
+++ b/isolated_app.te

@@ -13,9 +13,6 @@
 permissive isolated_app;
 app_domain(isolated_app)
 
-# Appdomain interaction with isolated apps
-r_dir_file(appdomain, isolated_app)
-
 # Already connected, unnamed sockets being passed over some other IPC
 # hence no sock_file or connectto permission. This appears to be how
 # Chrome works, may need to be updated as more apps using isolated services