Skip to content
Snippets Groups Projects
Commit f1203bf0 authored by Jeffrey Vander Stoep's avatar Jeffrey Vander Stoep Committed by Gerrit Code Review
Browse files

Merge "Remove untrusted_app access to cache"

parents 7f09a945 68748c21
Branches
Tags
No related merge requests found
......@@ -46,3 +46,7 @@ neverallow isolated_app {
# Isolated apps shouldn't be able to access the driver directly.
neverallow isolated_app gpu_device:chr_file { rw_file_perms execute };
# Do not allow isolated_app access to /cache
neverallow isolated_app cache_file:dir ~{ r_dir_perms };
neverallow isolated_app cache_file:file ~{ read getattr };
......@@ -70,10 +70,6 @@ allow untrusted_app media_rw_data_file:file create_file_perms;
# TODO: narrow this to just MediaProvider
allow untrusted_app mnt_media_rw_file:dir search;
# Write to /cache.
allow untrusted_app cache_file:dir create_dir_perms;
allow untrusted_app cache_file:file create_file_perms;
allow untrusted_app drmserver_service:service_manager find;
allow untrusted_app mediaserver_service:service_manager find;
allow untrusted_app nfc_service:service_manager find;
......@@ -151,3 +147,7 @@ neverallow untrusted_app sysfs_mac_address:file no_rw_file_perms;
# Do not allow untrusted app to directly open tun_device
neverallow untrusted_app tun_device:chr_file open;
# Do not allow untrusted_app access to /cache
neverallow untrusted_app cache_file:dir ~{ r_dir_perms };
neverallow untrusted_app cache_file:file ~{ read getattr };
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment