Only allow read/write not open on platform_app_data_file.

Change-Id: Iad4ad43ce7ba3c00b69b7aac752b40bc2d3be002 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Only allow read/write not open on platform_app_data_file.
c8106f12 · Stephen Smalley · Gerrit Code Review · d06104d8 · c8106f12
Commit c8106f12 authored 12 years ago by Stephen Smalley Committed by Gerrit Code Review 12 years ago
--- a/app.te
+++ b/app.te
@@ -164,8 +164,9 @@ allow appdomain surfaceflinger:unix_stream_socket { read write setopt };
 allow appdomain app_data_file:dir create_dir_perms;
 allow appdomain app_data_file:notdevfile_class_set create_file_perms;

-# Read/write data files created by the platform apps.
-allow appdomain platform_app_data_file:file rw_file_perms;
+# Read/write data files created by the platform apps if they
+# were passed to the app via binder or local IPC.  Do not allow open.
+allow appdomain platform_app_data_file:file { read write };

 # lib subdirectory of /data/data dir is system-owned.
 allow appdomain system_data_file:dir r_dir_perms;