Revert "Allow rule to let settings access apex files"
This reverts commit 0c0ba46192d0faf8a5fa143fbdfeb32d6bd974a9.
Reason for revert: <Broken build 5695273 on aosp-master on aosp_x86_64-eng>
Change-Id: I763f19aa5b72f2e1aaebbc78bb8ab3020c3d2a7b
diff --git a/prebuilts/api/29.0/private/domain.te b/prebuilts/api/29.0/private/domain.te
index d2d0209..037a7d5 100644
--- a/prebuilts/api/29.0/private/domain.te
+++ b/prebuilts/api/29.0/private/domain.te
@@ -169,7 +169,7 @@
# do not change between system_server staging the files and apexd processing
# the files.
neverallow { domain -init -system_server -apexd -installd} staging_data_file:dir *;
-neverallow { domain -init -system_app -system_server -apexd -kernel -installd } staging_data_file:file *;
+neverallow { domain -init -system_server -apexd -kernel -installd } staging_data_file:file *;
neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
# apexd needs the link and unlink permissions, so list every `no_w_file_perms`
# except for `link` and `unlink`.
diff --git a/prebuilts/api/29.0/private/system_app.te b/prebuilts/api/29.0/private/system_app.te
index 9ed1d36..e8627151 100644
--- a/prebuilts/api/29.0/private/system_app.te
+++ b/prebuilts/api/29.0/private/system_app.te
@@ -24,12 +24,6 @@
# Access to vold-mounted storage for measuring free space
allow system_app mnt_media_rw_file:dir search;
-# Access to apex files stored on /data (b/136063500)
-# Needed so that Settings can access NOTICE files inside apex
-# files located in the assets/ directory.
-allow system_app apex_data_file:dir search;
-allow system_app staging_data_file:file r_file_perms;
-
# Read wallpaper file.
allow system_app wallpaper_file:file r_file_perms;
diff --git a/prebuilts/api/29.0/private/system_server.te b/prebuilts/api/29.0/private/system_server.te
index f048814..f0da59c 100644
--- a/prebuilts/api/29.0/private/system_server.te
+++ b/prebuilts/api/29.0/private/system_server.te
@@ -1018,7 +1018,7 @@
# needs these privileges to compare file signatures while processing installs.
#
# Only apexd is allowed to create new entries or write to any file under /data/apex.
-allow system_server apex_data_file:dir { getattr search };
+allow system_server apex_data_file:dir search;
allow system_server apex_data_file:file r_file_perms;
# Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can
diff --git a/private/domain.te b/private/domain.te
index d2d0209..037a7d5 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -169,7 +169,7 @@
# do not change between system_server staging the files and apexd processing
# the files.
neverallow { domain -init -system_server -apexd -installd} staging_data_file:dir *;
-neverallow { domain -init -system_app -system_server -apexd -kernel -installd } staging_data_file:file *;
+neverallow { domain -init -system_server -apexd -kernel -installd } staging_data_file:file *;
neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
# apexd needs the link and unlink permissions, so list every `no_w_file_perms`
# except for `link` and `unlink`.
diff --git a/private/system_app.te b/private/system_app.te
index 9ed1d36..e8627151 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -24,12 +24,6 @@
# Access to vold-mounted storage for measuring free space
allow system_app mnt_media_rw_file:dir search;
-# Access to apex files stored on /data (b/136063500)
-# Needed so that Settings can access NOTICE files inside apex
-# files located in the assets/ directory.
-allow system_app apex_data_file:dir search;
-allow system_app staging_data_file:file r_file_perms;
-
# Read wallpaper file.
allow system_app wallpaper_file:file r_file_perms;
diff --git a/private/system_server.te b/private/system_server.te
index 33d0032..1626fab 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1022,7 +1022,7 @@
# needs these privileges to compare file signatures while processing installs.
#
# Only apexd is allowed to create new entries or write to any file under /data/apex.
-allow system_server apex_data_file:dir { getattr search };
+allow system_server apex_data_file:dir search;
allow system_server apex_data_file:file r_file_perms;
# Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can