Remove read access from mls constraints.

Addresses the following denial encountered when sharing photos between personal and managed profiles: Binder_5: type=1400 audit(0.0:236): avc: denied { read } for path="/data/data/com.google.android.apps.plus/cache/media/3/3bbca5f1bcfa7f1-a-nw" dev="dm-0" ino=467800 scontext=u:r:untrusted_app:s0:c529,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file permissive=0 Bug: 19540297 Change-Id: If51108ec5820ca40e066d5ca3e527c7a0f03eca5

Remove read access from mls constraints.
e8f95b36 · dcashman · a4b82264 · e8f95b36
Commit e8f95b36 authored 10 years ago by dcashman
--- a/mls
+++ b/mls
@@ -64,7 +64,7 @@ mlsconstrain dir_file_class_set { create relabelfrom relabelto }
 mlsconstrain dir { read getattr search }
 	     (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);

-mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
+mlsconstrain { file lnk_file sock_file chr_file blk_file } { open execute }
 	     (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);

 # Write operations: Subject must be dominated by the object unless the