diff options
author | dcashman <dcashman@google.com> | 2015-02-27 16:03:00 -0800 |
---|---|---|
committer | dcashman <dcashman@google.com> | 2015-02-27 16:03:00 -0800 |
commit | e8f95b363a39b10f490742c6187f555f5633af74 (patch) | |
tree | a5a7dbdb74a60c8410b7ff1b670f9591c060d5df /mls | |
parent | a4b8226457c9bef174aa10b39f3aa0bbeae92260 (diff) | |
download | android_external_sepolicy-e8f95b363a39b10f490742c6187f555f5633af74.tar.gz android_external_sepolicy-e8f95b363a39b10f490742c6187f555f5633af74.tar.bz2 android_external_sepolicy-e8f95b363a39b10f490742c6187f555f5633af74.zip |
Remove read access from mls constraints.
Addresses the following denial encountered when sharing photos between personal
and managed profiles:
Binder_5: type=1400 audit(0.0:236): avc: denied { read } for path="/data/data/com.google.android.apps.plus/cache/media/3/3bbca5f1bcfa7f1-a-nw" dev="dm-0" ino=467800 scontext=u:r:untrusted_app:s0:c529,c768 tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file permissive=0
Bug: 19540297
Change-Id: If51108ec5820ca40e066d5ca3e527c7a0f03eca5
Diffstat (limited to 'mls')
-rw-r--r-- | mls | 2 |
1 files changed, 1 insertions, 1 deletions
@@ -64,7 +64,7 @@ mlsconstrain dir_file_class_set { create relabelfrom relabelto } mlsconstrain dir { read getattr search } (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); -mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute } +mlsconstrain { file lnk_file sock_file chr_file blk_file } { open execute } (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); # Write operations: Subject must be dominated by the object unless the |