From e8f95b363a39b10f490742c6187f555f5633af74 Mon Sep 17 00:00:00 2001
From: dcashman <dcashman@google.com>
Date: Fri, 27 Feb 2015 16:03:00 -0800
Subject: [PATCH] Remove read access from mls constraints.

Addresses the following denial encountered when sharing photos between personal
and managed profiles:

Binder_5: type=1400 audit(0.0:236): avc: denied { read } for path="/data/data/com.google.android.apps.plus/cache/media/3/3bbca5f1bcfa7f1-a-nw" dev="dm-0" ino=467800 scontext=u:r:untrusted_app:s0:c529,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file permissive=0

Bug: 19540297
Change-Id: If51108ec5820ca40e066d5ca3e527c7a0f03eca5
---
 mls | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mls b/mls
index d5942c36f..06a9d09db 100644
--- a/mls
+++ b/mls
@@ -64,7 +64,7 @@ mlsconstrain dir_file_class_set { create relabelfrom relabelto }
 mlsconstrain dir { read getattr search }
 	     (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
 
-mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
+mlsconstrain { file lnk_file sock_file chr_file blk_file } { open execute }
 	     (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
 
 # Write operations: Subject must be dominated by the object unless the
-- 
GitLab