From b8a424994fec00a49b9ba6c455ac74fce3d40636 Mon Sep 17 00:00:00 2001
From: Shubham Ajmera <shubhamajmera@google.com>
Date: Tue, 24 Oct 2017 17:17:57 -0700
Subject: [PATCH] Don't allow dexoptanalyzer to open app_data_files

Test: manual(installd flow without sepolicy denials)
Bug: 67111829
Change-Id: I7ac1a86e731ec5900eec83608b4765a6818f2fd0
---
 private/dexoptanalyzer.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/private/dexoptanalyzer.te b/private/dexoptanalyzer.te
index 1c23f5727..dfc81b850 100644
--- a/private/dexoptanalyzer.te
+++ b/private/dexoptanalyzer.te
@@ -20,7 +20,7 @@ allow dexoptanalyzer installd:fd use;
 # Allow reading secondary dex files that were reported by the app to the
 # package manager.
 allow dexoptanalyzer app_data_file:dir { getattr search };
-allow dexoptanalyzer app_data_file:file r_file_perms;
+allow dexoptanalyzer app_data_file:file { getattr read };
 # dexoptanalyzer calls access(2) with W_OK flag on app data. We can use the
 # "dontaudit...audit_access" policy line to suppress the audit access without
 # suppressing denial on actual access.
-- 
GitLab