Only allow read/write not open on platform_app_data_file. Change-Id: Iad4ad43ce7ba3c00b69b7aac752b40bc2d3be002 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

commit: c8106f12c09dfffebebcff6b435d4974e6b2a9d7 [log] [tgz]
author: Stephen Smalley <sds@tycho.nsa.gov> Fri Jan 11 14:04:16 2013 -0500
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Tue Mar 19 22:45:12 2013 +0000
tree: c1a9034ff736b25cf1567ac812f8a6665c55b93b
parent: d06104d873a4256f8a6fb66ee0f930abbc15f8a1 [diff]
diff --git a/app.te b/app.te
index 7cd8c5a..65d710a 100644
--- a/app.te
+++ b/app.te

@@ -164,8 +164,9 @@
 allow appdomain app_data_file:dir create_dir_perms;
 allow appdomain app_data_file:notdevfile_class_set create_file_perms;
 
-# Read/write data files created by the platform apps.
-allow appdomain platform_app_data_file:file rw_file_perms;
+# Read/write data files created by the platform apps if they
+# were passed to the app via binder or local IPC.  Do not allow open.
+allow appdomain platform_app_data_file:file { read write };
 
 # lib subdirectory of /data/data dir is system-owned.
 allow appdomain system_data_file:dir r_dir_perms;
commit	c8106f12c09dfffebebcff6b435d4974e6b2a9d7	[log] [tgz]
author	Stephen Smalley <sds@tycho.nsa.gov>	Fri Jan 11 14:04:16 2013 -0500
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Tue Mar 19 22:45:12 2013 +0000
tree	c1a9034ff736b25cf1567ac812f8a6665c55b93b
parent	d06104d873a4256f8a6fb66ee0f930abbc15f8a1 [diff]