resolved conflicts for f1203bf0 to stage-aosp-master

Change-Id: I7f17a87595a05967879ccc33326eb80d7bd00251

resolved conflicts for f1203bf0 to stage-aosp-master
e9aaae4f · Jeff Vander Stoep · d77deee4 · f1203bf0 · e9aaae4f · e9aaae4f
Commit e9aaae4f authored 9 years ago by Jeff Vander Stoep
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -46,3 +46,7 @@ neverallow isolated_app {
 # Isolated apps shouldn't be able to access the driver directly.
 neverallow isolated_app gpu_device:chr_file { rw_file_perms execute };
+# Do not allow isolated_app access to /cache
+neverallow isolated_app cache_file:dir ~{ r_dir_perms };
+neverallow isolated_app cache_file:file ~{ read getattr };
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -70,10 +70,6 @@ allow untrusted_app media_rw_data_file:file create_file_perms;
 # TODO: narrow this to just MediaProvider
 allow untrusted_app mnt_media_rw_file:dir search;
-# Write to /cache.
-allow untrusted_app cache_file:dir create_dir_perms;
-allow untrusted_app cache_file:file create_file_perms;
 # allow cts to query all services
 allow untrusted_app servicemanager:service_manager list;
@@ -154,3 +150,7 @@ neverallow untrusted_app sysfs_mac_address:file no_rw_file_perms;
 # Do not allow untrusted app to directly open tun_device
 neverallow untrusted_app tun_device:chr_file open;
+# Do not allow untrusted_app access to /cache
+neverallow untrusted_app cache_file:dir ~{ r_dir_perms };
+neverallow untrusted_app cache_file:file ~{ read getattr };