Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / e47d2365a8955901e29a1b571f78f315f089ec38^! / . / private
commite47d2365a8955901e29a1b571f78f315f089ec38[log] [tgz]
authorCosmo Hsieh <cosmohsieh@google.com>Fri Jun 28 09:51:28 2019 +0000
committerCosmo Hsieh <cosmohsieh@google.com>Fri Jun 28 09:51:28 2019 +0000
treef00462ffac61b9d8561f9294882e4a91d7bff86a
parent0c0ba46192d0faf8a5fa143fbdfeb32d6bd974a9 [diff]
Revert "Allow rule to let settings access apex files"

This reverts commit 0c0ba46192d0faf8a5fa143fbdfeb32d6bd974a9.

Reason for revert: <Broken build 5695273 on aosp-master on aosp_x86_64-eng>

Change-Id: I763f19aa5b72f2e1aaebbc78bb8ab3020c3d2a7b

diff --git a/private/domain.te b/private/domain.te
index d2d0209..037a7d5 100644
--- a/private/domain.te
+++ b/private/domain.te

@@ -169,7 +169,7 @@
 # do not change between system_server staging the files and apexd processing
 # the files.
 neverallow { domain -init -system_server -apexd -installd} staging_data_file:dir *;
-neverallow { domain -init -system_app -system_server -apexd -kernel -installd } staging_data_file:file *;
+neverallow { domain -init -system_server -apexd -kernel -installd } staging_data_file:file *;
 neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
 # apexd needs the link and unlink permissions, so list every `no_w_file_perms`
 # except for `link` and `unlink`.

diff --git a/private/system_app.te b/private/system_app.te
index 9ed1d36..e8627151 100644
--- a/private/system_app.te
+++ b/private/system_app.te

@@ -24,12 +24,6 @@
 # Access to vold-mounted storage for measuring free space
 allow system_app mnt_media_rw_file:dir search;
 
-# Access to apex files stored on /data (b/136063500)
-# Needed so that Settings can access NOTICE files inside apex
-# files located in the assets/ directory.
-allow system_app apex_data_file:dir search;
-allow system_app staging_data_file:file r_file_perms;
-
 # Read wallpaper file.
 allow system_app wallpaper_file:file r_file_perms;
 

diff --git a/private/system_server.te b/private/system_server.te
index 33d0032..1626fab 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -1022,7 +1022,7 @@
 # needs these privileges to compare file signatures while processing installs.
 #
 # Only apexd is allowed to create new entries or write to any file under /data/apex.
-allow system_server apex_data_file:dir { getattr search };
+allow system_server apex_data_file:dir search;
 allow system_server apex_data_file:file r_file_perms;
 
 # Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can