Skip to content
Snippets Groups Projects
Commit 44cb98a7 authored by Nick Kralevich's avatar Nick Kralevich
Browse files

Revert "Do not allow isolated_app to directly open app data files." 

This is causing the version of Chrome in Android's tree to crash. The
version of Chrome in Android's tree does not have the following patch:
https://codereview.chromium.org/630123003

Until Chrome updates the version in Android's tree, we need to revert.

Works around the following denials:

audit(0.0:19): avc: denied { search } for name="com.android.chrome" dev="mmcblk0p28" ino=1474658 scontext=u:r:isolated_app:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir
audit(0.0:20): avc: denied { getattr } for path="/data/data/com.android.chrome" dev="mmcblk0p28" ino=1474658 scontext=u:r:isolated_app:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir
audit(0.0:21): avc: denied { getattr } for path="/data/data/com.android.chrome" dev="mmcblk0p28" ino=1474658 scontext=u:r:isolated_app:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=dir

This reverts commit 669a9773.

Bug: 18006219
Change-Id: Id44137ec6a0dfe4a597b34ab3dad9e3feecc2a5e
parent e9623d8f
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
app.te
+ 2
2
View file @ 44cb98a7
...@@ -46,8 +46,8 @@ allow appdomain appdomain:fifo_file rw_file_perms; ...@@ -46,8 +46,8 @@ allow appdomain appdomain:fifo_file rw_file_perms;
allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown }; allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
# App sandbox file accesses. # App sandbox file accesses.
allow { appdomain -isolated_app } app_data_file:dir create_dir_perms; allow appdomain app_data_file:dir create_dir_perms;
allow { appdomain -isolated_app } app_data_file:notdevfile_class_set create_file_perms; allow appdomain app_data_file:notdevfile_class_set create_file_perms;
# lib subdirectory of /data/data dir is system-owned. # lib subdirectory of /data/data dir is system-owned.
allow appdomain system_data_file:dir r_dir_perms; allow appdomain system_data_file:dir r_dir_perms;
......
isolated_app.te
+ 0
6
View file @ 44cb98a7
...@@ -12,12 +12,6 @@ ...@@ -12,12 +12,6 @@
type isolated_app, domain; type isolated_app, domain;
app_domain(isolated_app) app_domain(isolated_app)
# Access already open app data files received over Binder or local socket IPC.
allow isolated_app app_data_file:file { read write getattr };
# Isolated apps should not directly open app data files themselves.
neverallow isolated_app app_data_file:file open;
# Isolated apps shouldn't be able to access the driver directly. # Isolated apps shouldn't be able to access the driver directly.
neverallow isolated_app gpu_device:file { rw_file_perms execute }; neverallow isolated_app gpu_device:file { rw_file_perms execute };
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment