sepolicy: restrict access for /vendor/framework.
/vendor/framework is now designated location for vendor's platform
libraries. The directory is thus only made available for 'dex2oat'
coredomain.
Bug: 36680116
Test: Boot sailfish & angler and launch gApps, dialer w/ no denials for
'vendor_framework_file'
Change-Id: I24c2ec30f836330005a972ae20d839bef9dcb8aa
Signed-off-by: Sandeep Patil <sspatil@google.com>
diff --git a/public/dex2oat.te b/public/dex2oat.te
index bbd3c72..2fb2336 100644
--- a/public/dex2oat.te
+++ b/public/dex2oat.te
@@ -5,6 +5,9 @@
r_dir_file(dex2oat, apk_data_file)
# Access to /vendor/app
r_dir_file(dex2oat, vendor_app_file)
+# Access /vendor/framework
+allow dex2oat vendor_framework_file:dir { getattr search };
+allow dex2oat vendor_framework_file:file { getattr open read };
allow dex2oat tmpfs:file { read getattr };
diff --git a/public/domain.te b/public/domain.te
index ffa8d44..b744206 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -136,11 +136,6 @@
# TODO: b/36806861
allow domain vendor_app_file:lnk_file { open read };
- # TODO: b/36680116, find out who neeeds access and only allow
- # specific domains
- allow domain vendor_framework_file:dir r_dir_perms;
- allow domain vendor_framework_file:file { read open getattr };
-
# Allow reading and executing out of /vendor to all vendor domains
allow { domain -coredomain } vendor_file_type:dir r_dir_perms;
allow { domain -coredomain } vendor_file_type:file { read open getattr execute };