From 44cb98a7647303aedc9f89ef9a14937f59bec6ed Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Fri, 17 Oct 2014 18:26:28 +0000
Subject: [PATCH] Revert "Do not allow isolated_app to directly open app data
 files."

This is causing the version of Chrome in Android's tree to crash. The
version of Chrome in Android's tree does not have the following patch:
https://codereview.chromium.org/630123003

Until Chrome updates the version in Android's tree, we need to revert.

Works around the following denials:

audit(0.0:19): avc: denied { search } for name="com.android.chrome" dev="mmcblk0p28" ino=1474658 scontext=u:r:isolated_app:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir
audit(0.0:20): avc: denied { getattr } for path="/data/data/com.android.chrome" dev="mmcblk0p28" ino=1474658 scontext=u:r:isolated_app:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir
audit(0.0:21): avc: denied { getattr } for path="/data/data/com.android.chrome" dev="mmcblk0p28" ino=1474658 scontext=u:r:isolated_app:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir

This reverts commit 669a97730376e919813411fcfdddac35bd7236ae.

Bug: 18006219
Change-Id: Id44137ec6a0dfe4a597b34ab3dad9e3feecc2a5e
---
 app.te          | 4 ++--
 isolated_app.te | 6 ------
 2 files changed, 2 insertions(+), 8 deletions(-)

diff --git a/app.te b/app.te
index d03b9aa86..ea74cb073 100644
--- a/app.te
+++ b/app.te
@@ -46,8 +46,8 @@ allow appdomain appdomain:fifo_file rw_file_perms;
 allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
 
 # App sandbox file accesses.
-allow { appdomain -isolated_app } app_data_file:dir create_dir_perms;
-allow { appdomain -isolated_app } app_data_file:notdevfile_class_set create_file_perms;
+allow appdomain app_data_file:dir create_dir_perms;
+allow appdomain app_data_file:notdevfile_class_set create_file_perms;
 
 # lib subdirectory of /data/data dir is system-owned.
 allow appdomain system_data_file:dir r_dir_perms;
diff --git a/isolated_app.te b/isolated_app.te
index 6fc7a99ab..f17372aec 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -12,12 +12,6 @@
 type isolated_app, domain;
 app_domain(isolated_app)
 
-# Access already open app data files received over Binder or local socket IPC.
-allow isolated_app app_data_file:file { read write getattr };
-
-# Isolated apps should not directly open app data files themselves.
-neverallow isolated_app app_data_file:file open;
-
 # Isolated apps shouldn't be able to access the driver directly.
 neverallow isolated_app gpu_device:file { rw_file_perms execute };
 
-- 
GitLab