Merge "Adding ability for priv apps to read traceur fd"

am: 8966b8e5 Change-Id: Ic24196b6a4050696d92f18a6879c569ccf5eaec7

Merge "Adding ability for priv apps to read traceur fd"
f66fd522 · Max Bires · android-build-merger · 82e9a73a · 8966b8e5 · f66fd522
Commit f66fd522 authored 7 years ago by Max Bires Committed by android-build-merger 7 years ago
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -58,6 +58,9 @@ allow priv_app media_rw_data_file:file create_file_perms;
 allow priv_app shell_data_file:file r_file_perms;
 allow priv_app shell_data_file:dir r_dir_perms;
+# Allow traceur to pass file descriptors through a content provider to betterbug
+allow priv_app trace_data_file:file { getattr read };
 # Allow verifier to access staged apks.
 allow priv_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
 allow priv_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
@@ -191,3 +194,8 @@ neverallow priv_app mlstrustedsubject:process fork;
 # bugs, so we want to ensure priv_app never has this
 # capability.
 neverallow priv_app file_type:file link;
+# priv apps should not be able to open trace data files, they should depend
+# upon traceur to pass a file descriptor which they can then read
+neverallow priv_app trace_data_file:dir *;
+neverallow priv_app trace_data_file:file { no_w_file_perms open };