From c8106f12c09dfffebebcff6b435d4974e6b2a9d7 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Fri, 11 Jan 2013 14:04:16 -0500
Subject: [PATCH] Only allow read/write not open on platform_app_data_file.

Change-Id: Iad4ad43ce7ba3c00b69b7aac752b40bc2d3be002
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 app.te | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/app.te b/app.te
index 7cd8c5a2b..65d710a07 100644
--- a/app.te
+++ b/app.te
@@ -164,8 +164,9 @@ allow appdomain surfaceflinger:unix_stream_socket { read write setopt };
 allow appdomain app_data_file:dir create_dir_perms;
 allow appdomain app_data_file:notdevfile_class_set create_file_perms;
 
-# Read/write data files created by the platform apps.
-allow appdomain platform_app_data_file:file rw_file_perms;
+# Read/write data files created by the platform apps if they
+# were passed to the app via binder or local IPC.  Do not allow open.
+allow appdomain platform_app_data_file:file { read write };
 
 # lib subdirectory of /data/data dir is system-owned.
 allow appdomain system_data_file:dir r_dir_perms;
-- 
GitLab