From 4c266ba1bc71b8aeb09deb1574550f44807ac0e3 Mon Sep 17 00:00:00 2001
From: rpcraig <rpcraig@tycho.ncsc.mil>
Date: Mon, 3 Dec 2012 06:22:00 -0500
Subject: [PATCH] Change security policy so all apps can read /dev/xt_qtaguid.

Generic init.rc allows any process to use
socket tagging. Adjust app policy to ensure
that any app can read from the misc device.

Change-Id: I4076f0fbc1795f57a4227492f6bfc39a4398ffa5
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
---
 app.te | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/app.te b/app.te
index 22a393e24..b3cd7ccfb 100644
--- a/app.te
+++ b/app.te
@@ -24,8 +24,6 @@ allow platform_app shell_data_file:file { open getattr read };
 allow platform_app shell_data_file:lnk_file read;
 # Populate /data/app/vmdl*.tmp file created by system server.
 allow platform_app apk_tmp_file:file rw_file_perms;
-# Read /dev/xt_qtaguid
-allow platform_app qtaguid_device:chr_file r_file_perms;
 # ASEC
 allow platform_app asec_apk_file:dir create_dir_perms;
 allow platform_app asec_apk_file:file create_file_perms;
@@ -43,8 +41,6 @@ allow media_app mtp_device:chr_file rw_file_perms;
 # Write to /cache.
 allow media_app cache_file:dir rw_dir_perms;
 allow media_app cache_file:file create_file_perms;
-# Read /dev/xt_qtaguid
-allow media_app qtaguid_device:chr_file r_file_perms;
 
 # Apps signed with the shared key.
 type shared_app, domain;
@@ -69,8 +65,6 @@ net_domain(release_app)
 bluetooth_domain(release_app)
 # Read logs.
 allow release_app log_device:chr_file read;
-# Read /dev/xt_qtaguid
-allow release_app qtaguid_device:chr_file r_file_perms;
 
 # Services with isolatedProcess=true in their manifest.
 # In order for isolated_apps to interact with apps that have levelFromUid=true
@@ -185,6 +179,9 @@ allow appdomain anr_data_file:file { open append };
 
 # Write to /proc/net/xt_qtaguid/ctrl file.
 allow appdomain qtaguid_proc:file rw_file_perms;
+# Everybody can read the xt_qtaguid resource tracking misc dev.
+# So allow all apps to read from /dev/xt_qtaguid.
+allow appdomain qtaguid_device:chr_file r_file_perms;
 
 # Use the Binder.
 binder_use(appdomain)
-- 
GitLab