Merge "Add neverallow checking to sepolicy-analyze."
diff --git a/app.te b/app.te
index 491eea3..be3ead8 100644
--- a/app.te
+++ b/app.te
@@ -46,8 +46,8 @@
allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
# App sandbox file accesses.
-allow appdomain app_data_file:dir create_dir_perms;
-allow appdomain app_data_file:notdevfile_class_set create_file_perms;
+allow { appdomain -isolated_app } app_data_file:dir create_dir_perms;
+allow { appdomain -isolated_app } app_data_file:notdevfile_class_set create_file_perms;
# lib subdirectory of /data/data dir is system-owned.
allow appdomain system_data_file:dir r_dir_perms;
diff --git a/isolated_app.te b/isolated_app.te
index f17372a..6fc7a99 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -12,6 +12,12 @@
type isolated_app, domain;
app_domain(isolated_app)
+# Access already open app data files received over Binder or local socket IPC.
+allow isolated_app app_data_file:file { read write getattr };
+
+# Isolated apps should not directly open app data files themselves.
+neverallow isolated_app app_data_file:file open;
+
# Isolated apps shouldn't be able to access the driver directly.
neverallow isolated_app gpu_device:file { rw_file_perms execute };
diff --git a/untrusted_app.te b/untrusted_app.te
index 7e67ea8..2b2a2e7 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -101,4 +101,4 @@
# Allow verifier to access staged apks.
allow untrusted_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
-allow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
\ No newline at end of file
+allow untrusted_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;