From f3220aa6b994e71362d7a81fe35bee6068502257 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Wed, 4 Apr 2018 13:21:37 -0700
Subject: [PATCH] Remove direct qtaguid access from platform/system apps

System components should use the public tagSocket() API, not direct
file access to /proc/net/xt_qtaguid/* and /dev/xt_qtaguid.

Test: build/boot taimen-userdebug. Use youtube, browse chrome,
    navigate maps on both cellular and wifi.
Bug: 68774956

Change-Id: Id895395de100d8f9a09886aceb0d6061fef832ef
---
 public/app.te | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/public/app.te b/public/app.te
index 4bdd8bf88..4eeede958 100644
--- a/public/app.te
+++ b/public/app.te
@@ -181,8 +181,6 @@ allow {
     untrusted_app_27
     ephemeral_app
     priv_app
-    system_app
-    platform_app
 } proc_qtaguid_ctrl:file rw_file_perms;
 # read /proc/net/xt_qtguid/*stat* to per-app network data usage.
 # Exclude isolated app which may not use network sockets.
@@ -191,8 +189,6 @@ r_dir_file({
     untrusted_app_27
     ephemeral_app
     priv_app
-    system_app
-    platform_app
 }, proc_qtaguid_stat)
 # Everybody can read the xt_qtaguid resource tracking misc dev.
 # So allow all apps to read from /dev/xt_qtaguid.
@@ -201,8 +197,6 @@ allow {
     untrusted_app_27
     ephemeral_app
     priv_app
-    system_app
-    platform_app
 } qtaguid_device:chr_file r_file_perms;
 
 # Grant GPU access to all processes started by Zygote.
-- 
GitLab