Change security policy so all apps can read /dev/xt_qtaguid.

Generic init.rc allows any process to use socket tagging. Adjust app policy to ensure that any app can read from the misc device. Change-Id: I4076f0fbc1795f57a4227492f6bfc39a4398ffa5 Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

Change security policy so all apps can read /dev/xt_qtaguid.
4c266ba1 · rpcraig · e8848726 · 4c266ba1
Commit 4c266ba1 authored 12 years ago by rpcraig
--- a/app.te
+++ b/app.te
@@ -24,8 +24,6 @@ allow platform_app shell_data_file:file { open getattr read };
 allow platform_app shell_data_file:lnk_file read;
 # Populate /data/app/vmdl*.tmp file created by system server.
 allow platform_app apk_tmp_file:file rw_file_perms;
-# Read /dev/xt_qtaguid
-allow platform_app qtaguid_device:chr_file r_file_perms;
 # ASEC
 allow platform_app asec_apk_file:dir create_dir_perms;
 allow platform_app asec_apk_file:file create_file_perms;
@@ -43,8 +41,6 @@ allow media_app mtp_device:chr_file rw_file_perms;
 # Write to /cache.
 allow media_app cache_file:dir rw_dir_perms;
 allow media_app cache_file:file create_file_perms;
-# Read /dev/xt_qtaguid
-allow media_app qtaguid_device:chr_file r_file_perms;

 # Apps signed with the shared key.
 type shared_app, domain;
@@ -69,8 +65,6 @@ net_domain(release_app)
 bluetooth_domain(release_app)
 # Read logs.
 allow release_app log_device:chr_file read;
-# Read /dev/xt_qtaguid
-allow release_app qtaguid_device:chr_file r_file_perms;

 # Services with isolatedProcess=true in their manifest.
 # In order for isolated_apps to interact with apps that have levelFromUid=true
@@ -185,6 +179,9 @@ allow appdomain anr_data_file:file { open append };

 # Write to /proc/net/xt_qtaguid/ctrl file.
 allow appdomain qtaguid_proc:file rw_file_perms;
+# Everybody can read the xt_qtaguid resource tracking misc dev.
+# So allow all apps to read from /dev/xt_qtaguid.
+allow appdomain qtaguid_device:chr_file r_file_perms;

 # Use the Binder.
 binder_use(appdomain)