remove zygote access to apk_data_file

GrapheneOS doesn't use out-of-band updates for base system apps (with a few exceptions) or APEX, so the zygote should never require this access. GrapheneOS also uses exec-based app spawning so it doesn't benefit from preloading in the standard code path.
GrapheneOS · Aug 7, 2020 · 1572c22 · 1572c22
1 parent d800c3c
commit 1572c22
Show file tree

Hide file tree

Showing 4 changed files with 0 additions and 20 deletions.
diff --git a/prebuilts/api/29.0/private/app_zygote.te b/prebuilts/api/29.0/private/app_zygote.te
@@ -55,11 +55,6 @@ allow app_zygote zygote:process sigchld;
 r_dir_file(app_zygote, dalvikcache_data_file);
 allow app_zygote dalvikcache_data_file:file execute;
 
-# Allow reading/executing installed binaries to enable preloading
-# application data
-allow app_zygote apk_data_file:dir r_dir_perms;
-allow app_zygote apk_data_file:file { r_file_perms execute };
-
 # Allow app_zygote access to /vendor/overlay
 r_dir_file(app_zygote, vendor_overlay_file)
 

diff --git a/prebuilts/api/29.0/private/webview_zygote.te b/prebuilts/api/29.0/private/webview_zygote.te
@@ -10,11 +10,6 @@ typeattribute webview_zygote mlstrustedsubject;
 # a domain macro.
 tmpfs_domain(webview_zygote);
 
-# Allow reading/executing installed binaries to enable preloading the
-# installed WebView implementation.
-allow webview_zygote apk_data_file:dir r_dir_perms;
-allow webview_zygote apk_data_file:file { r_file_perms execute };
-
 # Access to the WebView relro file.
 allow webview_zygote shared_relro_file:dir search;
 allow webview_zygote shared_relro_file:file r_file_perms;

diff --git a/private/app_zygote.te b/private/app_zygote.te
@@ -55,11 +55,6 @@ allow app_zygote zygote:process sigchld;
 r_dir_file(app_zygote, dalvikcache_data_file);
 allow app_zygote dalvikcache_data_file:file execute;
 
-# Allow reading/executing installed binaries to enable preloading
-# application data
-allow app_zygote apk_data_file:dir r_dir_perms;
-allow app_zygote apk_data_file:file { r_file_perms execute };
-
 # Allow app_zygote access to /vendor/overlay
 r_dir_file(app_zygote, vendor_overlay_file)
 

diff --git a/private/webview_zygote.te b/private/webview_zygote.te
@@ -10,11 +10,6 @@ typeattribute webview_zygote mlstrustedsubject;
 # a domain macro.
 tmpfs_domain(webview_zygote);
 
-# Allow reading/executing installed binaries to enable preloading the
-# installed WebView implementation.
-allow webview_zygote apk_data_file:dir r_dir_perms;
-allow webview_zygote apk_data_file:file { r_file_perms execute };
-
 # Access to the WebView relro file.
 allow webview_zygote shared_relro_file:dir search;
 allow webview_zygote shared_relro_file:file r_file_perms;