sepolicy: restrict access for /vendor/framework. am: df679fdb

am: c98b275e Change-Id: I424909584152898fa81d8eacf664db851f47e37c

sepolicy: restrict access for /vendor/framework. am: df679fdb
88234ba4 · Sandeep Patil · android-build-merger · e1a736a0 · c98b275e · 88234ba4
Commit 88234ba4 authored 7 years ago by Sandeep Patil Committed by android-build-merger 7 years ago
--- a/public/dex2oat.te
+++ b/public/dex2oat.te
@@ -5,6 +5,9 @@ type dex2oat_exec, exec_type, file_type;
 r_dir_file(dex2oat, apk_data_file)
 # Access to /vendor/app
 r_dir_file(dex2oat, vendor_app_file)
+# Access /vendor/framework
+allow dex2oat vendor_framework_file:dir { getattr search };
+allow dex2oat vendor_framework_file:file { getattr open read };

 allow dex2oat tmpfs:file { read getattr };


--- a/public/domain.te
+++ b/public/domain.te
@@ -136,11 +136,6 @@ full_treble_only(`
    # TODO: b/36806861
    allow domain vendor_app_file:lnk_file { open read };

-    # TODO: b/36680116, find out who neeeds access and only allow
-    # specific domains
-    allow domain vendor_framework_file:dir r_dir_perms;
-    allow domain vendor_framework_file:file { read open getattr };
-
    # Allow reading and executing out of /vendor to all vendor domains
    allow { domain -coredomain } vendor_file_type:dir r_dir_perms;
    allow { domain -coredomain } vendor_file_type:file { read open getattr execute };