Remove direct qtaguid access from platform/system apps

System components should use the public tagSocket() API, not direct file access to /proc/net/xt_qtaguid/* and /dev/xt_qtaguid. Test: build/boot taimen-userdebug. Use youtube, browse chrome, navigate maps on both cellular and wifi. Bug: 68774956 Change-Id: Id895395de100d8f9a09886aceb0d6061fef832ef

Remove direct qtaguid access from platform/system apps
f3220aa6 · Jeff Vander Stoep · Jeffrey Vander Stoep · 9d28625f · f3220aa6
Commit f3220aa6 authored 6 years ago by Jeff Vander Stoep Committed by Jeffrey Vander Stoep 6 years ago
--- a/public/app.te
+++ b/public/app.te
@@ -181,8 +181,6 @@ allow {
    untrusted_app_27
    ephemeral_app
    priv_app
-    system_app
-    platform_app
 } proc_qtaguid_ctrl:file rw_file_perms;
 # read /proc/net/xt_qtguid/*stat* to per-app network data usage.
 # Exclude isolated app which may not use network sockets.
@@ -191,8 +189,6 @@ r_dir_file({
    untrusted_app_27
    ephemeral_app
    priv_app
-    system_app
-    platform_app
 }, proc_qtaguid_stat)
 # Everybody can read the xt_qtaguid resource tracking misc dev.
 # So allow all apps to read from /dev/xt_qtaguid.
@@ -201,8 +197,6 @@ allow {
    untrusted_app_27
    ephemeral_app
    priv_app
-    system_app
-    platform_app
 } qtaguid_device:chr_file r_file_perms;

 # Grant GPU access to all processes started by Zygote.