release-request-65fa9893-af48-4e1d-bbfd-0ad00ce88026-for-git_nyc-iot-release-4...

release-request-65fa9893-af48-4e1d-bbfd-0ad00ce88026-for-git_nyc-iot-release-4273224 snap-temp-L21600000093073568 Change-Id: I78efbaf9603da8e5f9f448519cc3a7c40d8279bb

release-request-65fa9893-af48-4e1d-bbfd-0ad00ce88026-for-git_nyc-iot-release-4...
7e936a18 · android-build-team Robot · 13117b41 · f4c42343 · 7e936a18 · 7e936a18
Commit 7e936a18 authored 7 years ago by android-build-team Robot
--- a/app.te
+++ b/app.te
@@ -274,7 +274,8 @@ allow appdomain cache_file:dir getattr;

 # Superuser capabilities.
 # bluetooth requires net_admin and wake_alarm.
-neverallow { appdomain -bluetooth } self:capability *;
+# iot_wifi requires net_admin.
+neverallow { appdomain -bluetooth -iot_wifi } self:capability *;
 neverallow { appdomain -bluetooth } self:capability2 *;

 # Block device access.
@@ -441,6 +442,7 @@ neverallow appdomain {
 # Blacklist app domains not allowed to execute from /data
 neverallow {
  bluetooth
+  iot_wifi
  isolated_app
  nfc
  radio

--- a/iot_wifi.te
+++ b/iot_wifi.te
+# IoTWifiService app
+# TODO(bryanhenry,b/64616008): Move this domain type into device/google/iot
+# once we no longer need to modify the self:capability neverallow
+type iot_wifi, domain;