Merge "Remove untrusted_app access to cache"

f1203bf0 · Jeffrey Vander Stoep · Gerrit Code Review · 7f09a945 · 68748c21 · f1203bf0
Commit f1203bf0 authored Oct 19, 2015 by Jeffrey Vander Stoep Committed by Gerrit Code Review Oct 19, 2015
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -46,3 +46,7 @@ neverallow isolated_app {

 # Isolated apps shouldn't be able to access the driver directly.
 neverallow isolated_app gpu_device:chr_file { rw_file_perms execute };
+
+# Do not allow isolated_app access to /cache
+neverallow isolated_app cache_file:dir ~{ r_dir_perms };
+neverallow isolated_app cache_file:file ~{ read getattr };
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -70,10 +70,6 @@ allow untrusted_app media_rw_data_file:file create_file_perms;
 # TODO: narrow this to just MediaProvider
 allow untrusted_app mnt_media_rw_file:dir search;

-# Write to /cache.
-allow untrusted_app cache_file:dir create_dir_perms;
-allow untrusted_app cache_file:file create_file_perms;
-
 allow untrusted_app drmserver_service:service_manager find;
 allow untrusted_app mediaserver_service:service_manager find;
 allow untrusted_app nfc_service:service_manager find;
@@ -151,3 +147,7 @@ neverallow untrusted_app sysfs_mac_address:file no_rw_file_perms;

 # Do not allow untrusted app to directly open tun_device
 neverallow untrusted_app tun_device:chr_file open;
+
+# Do not allow untrusted_app access to /cache
+neverallow untrusted_app cache_file:dir ~{ r_dir_perms };
+neverallow untrusted_app cache_file:file ~{ read getattr };