Remove zygote write access to system_data_file.
These rules seem to be a legacy of old Android or perhaps old policy
before we began splitting types on /data. I have not been able to
trigger the auditallow rules on AOSP master. Reduce the rules to
only read access to system data. If we need write access to some
specific directory under /data, we should introduce a type for it.
Change-Id: I780835950cc366c97b7d0901fc73527d9ea479b1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
diff --git a/zygote.te b/zygote.te
index a1b6068..4d169f3 100644
--- a/zygote.te
+++ b/zygote.te
@@ -17,11 +17,10 @@
# Move children into the peer process group.
allow zygote system_server:process { getpgid setpgid };
allow zygote appdomain:process { getpgid setpgid };
-# Write to system data.
-allow zygote system_data_file:dir rw_dir_perms;
-allow zygote system_data_file:file create_file_perms;
-auditallow zygote system_data_file:dir { write add_name remove_name };
-auditallow zygote system_data_file:file { create setattr write append link unlink rename };
+# Read system data.
+allow zygote system_data_file:dir r_dir_perms;
+allow zygote system_data_file:file r_file_perms;
+# Write to /data/dalvik-cache.
allow zygote dalvikcache_data_file:dir create_dir_perms;
allow zygote dalvikcache_data_file:file create_file_perms;
# For art.