diff --git a/isolated_app.te b/isolated_app.te index d9605539fc30b695fe933614236f357acc6c11d1..f40527316b746a8d38d0aa217be0d67fb7c6413e 100644 --- a/isolated_app.te +++ b/isolated_app.te @@ -43,3 +43,7 @@ neverallow isolated_app { # Isolated apps shouldn't be able to access the driver directly. neverallow isolated_app gpu_device:chr_file { rw_file_perms execute }; + +# Do not allow isolated_app access to /cache +neverallow isolated_app cache_file:dir ~{ r_dir_perms }; +neverallow isolated_app cache_file:file ~{ read getattr }; diff --git a/untrusted_app.te b/untrusted_app.te index b88abbe192c890a8a58eb6c262bf208cf3943e33..fc9af41c20c9279561cedb508e819fe435469b32 100644 --- a/untrusted_app.te +++ b/untrusted_app.te @@ -70,10 +70,6 @@ allow untrusted_app media_rw_data_file:file create_file_perms; # TODO: narrow this to just MediaProvider allow untrusted_app mnt_media_rw_file:dir search; -# Write to /cache. -allow untrusted_app cache_file:dir create_dir_perms; -allow untrusted_app cache_file:file create_file_perms; - # allow cts to query all services allow untrusted_app servicemanager:service_manager list; @@ -151,3 +147,7 @@ neverallow untrusted_app sysfs_mac_address:file no_rw_file_perms; # Do not allow untrusted app to directly open tun_device neverallow untrusted_app tun_device:chr_file open; + +# Do not allow untrusted_app access to /cache +neverallow untrusted_app cache_file:dir ~{ r_dir_perms }; +neverallow untrusted_app cache_file:file ~{ read getattr };