From 0b430aba227c9628c6d6bf1b1534a93d544bc6de Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Thu, 12 May 2016 13:22:37 -0700
Subject: [PATCH] Remove domain_deprecated from isolated_app

Address denials:
avc: denied { read } for name="meminfo" dev="proc" ino=4026544360 scontext=u:r:isolated_app:s0:c512,c768 tcontext=u:object_r:proc_meminfo:s0 tclass=file permissive=0

Bug: 28722489
Change-Id: I3c55bd95bb82ec54e88e9e9bc42d6392a216a936
---
 app.te           | 3 +++
 isolated_app.te  | 2 +-
 untrusted_app.te | 3 ---
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/app.te b/app.te
index 48db05d07..7a679fdb7 100644
--- a/app.te
+++ b/app.te
@@ -205,6 +205,9 @@ allow appdomain console_device:chr_file { read write };
 
 allow { appdomain -isolated_app } ion_device:chr_file rw_file_perms;
 
+# TODO: switch to meminfo service
+allow appdomain proc_meminfo:file r_file_perms;
+
 # For app fuse.
 allow appdomain app_fuse_file:file { getattr read append write };
 
diff --git a/isolated_app.te b/isolated_app.te
index 34fe41c65..124fde92a 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -9,7 +9,7 @@
 ### additional following rules:
 ###
 
-type isolated_app, domain, domain_deprecated;
+type isolated_app, domain;
 app_domain(isolated_app)
 
 # Access already open app data files received over Binder or local socket IPC.
diff --git a/untrusted_app.te b/untrusted_app.te
index 1c17e3091..a61384bb8 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -84,9 +84,6 @@ userdebug_or_eng(`
 # gdbserver for ndk-gdb ptrace attaches to app process.
 allow untrusted_app self:process ptrace;
 
-# TODO: switch to meminfo service
-allow untrusted_app proc_meminfo:file r_file_perms;
-
 # access /proc/net/xt_qtguid/stats
 r_dir_file(untrusted_app, proc_net)
 
-- 
GitLab