Remove world-read access to /data/dalvik-cache/profiles

Remove /data/dalvik-cache/profiles from domain. Profiling information leaks data about how people interact with apps, so we don't want the data to be available in all SELinux domains. Add read/write capabilities back to app domains, since apps need to read/write profiling data. Remove restorecon specific rules. The directory is now created by init, not installd, so installd doesn't need to set the label. Change-Id: Ic1b44009faa30d704855e97631006c4b990a4ad3

Remove world-read access to /data/dalvik-cache/profiles
86703051 · Nick Kralevich · b0ee91a4 · 86703051 · 86703051 · 86703051
Commit 86703051 authored 10 years ago by Nick Kralevich
--- a/app.te
+++ b/app.te
@@ -131,7 +131,8 @@ allow appdomain usbaccessory_device:chr_file { read write getattr };
 allow appdomain dalvikcache_data_file:file execute;

 # /data/dalvik-cache/profiles
-allow appdomain dalvikcache_profiles_data_file:file write;
+allow appdomain dalvikcache_profiles_data_file:dir { search getattr };
+allow appdomain dalvikcache_profiles_data_file:file rw_file_perms;

 # Allow any app to read shared RELRO files.
 allow appdomain shared_relro_file:dir search;

--- a/domain.te
+++ b/domain.te
@@ -101,8 +101,6 @@ allow domain apk_data_file:lnk_file r_file_perms;
 # Read /data/dalvik-cache.
 allow domain dalvikcache_data_file:dir { search getattr };
 allow domain dalvikcache_data_file:file r_file_perms;
-allow domain dalvikcache_profiles_data_file:dir { search getattr };
-allow domain dalvikcache_profiles_data_file:file r_file_perms;

 # Read already opened /cache files.
 allow domain cache_file:dir r_dir_perms;

--- a/installd.te
+++ b/installd.te
@@ -46,8 +46,6 @@ allow installd dalvikcache_data_file:dir create_dir_perms;
 allow installd dalvikcache_data_file:file create_file_perms;

 # Create /data/dalvik-cache/profiles.
-allow installd dalvikcache_data_file:dir relabelfrom;
-allow installd dalvikcache_profiles_data_file:dir relabelto;
 allow installd dalvikcache_profiles_data_file:dir rw_dir_perms;
 allow installd dalvikcache_profiles_data_file:file create_file_perms;


--- a/system_server.te
+++ b/system_server.te
@@ -195,6 +195,10 @@ allow system_server backup_data_file:file create_file_perms;
 allow system_server dalvikcache_data_file:dir create_dir_perms;
 allow system_server dalvikcache_data_file:file create_file_perms;

+# Read from /data/dalvik-cache/profiles
+allow system_server dalvikcache_profiles_data_file:dir w_dir_perms;
+allow system_server dalvikcache_profiles_data_file:file create_file_perms;
+
 # Manage /data/misc/adb.
 allow system_server adb_keys_file:dir create_dir_perms;
 allow system_server adb_keys_file:file create_file_perms;