Merge "Drop isolated_app auditallow rule." am: dfb7b7e3 am: f5382659

am: 0b6cf545 Change-Id: Ib66a58d8afaaa384f052001aa8de39c778b4ee8e

Merge "Drop isolated_app auditallow rule." am: dfb7b7e3 am: f5382659
a9ed5f0d · Nick Kralevich · android-build-merger · 3ebd6990 · 0b6cf545 · a9ed5f0d
Commit a9ed5f0d authored 7 years ago by Nick Kralevich Committed by android-build-merger 7 years ago
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -27,12 +27,9 @@ allow isolated_app self:process ptrace;
 # b/32896414: Allow accessing sdcard file descriptors passed to isolated_apps
 # by other processes. Open should never be allowed, and is blocked by
 # neverallow rules below.
-# TODO: consider removing write/append. We want to limit isolated_apps
-# ability to mutate files of any type.
 # media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs
 # is modified to change the secontext when accessing the lower filesystem.
 allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock };
-auditallow isolated_app { sdcard_type media_rw_data_file }:file { write append };

 # For webviews, isolated_app processes can be forked from the webview_zygote
 # in addition to the zygote. Allow access to resources inherited from the