On Tue, Jan 19, 2016 at 5:06 AM, Inamdar Sharif <[email protected]> wrote: > I think we can make it generic in the AOSP policy itself. >
Having system_app read from locations writable by untrusted_app affects the integrity of system_app, which is more trusted than platform_app. > > > > On Jan 18, 2016 8:58 AM, "Inamdar Sharif" <[email protected]> wrote: >> >> Hi Guys, >> >> >> >> While going through the policies, I came across media_rw_data_file >> >> >> >> Looking into the policies it seems that platform_app and untrusted_app has >> the following permission. >> >> allow platform_app media_rw_data_file:dir create_dir_perms; >> >> allow platform_app media_rw_data_file:file create_file_perms; >> >> >> >> allow untrusted_app media_rw_data_file:dir create_dir_perms; >> >> allow untrusted_app media_rw_data_file:file create_file_perms; >> >> >> >> But for system_app we don’t have such policies. If untrusted_app can >> access then system_app is much safer. > > Its about least permission which does not always correlate with safe. > Apparently no system apps have needed permissions there so they were not > allowed to do such. > >> >> I am not sure why we have not allowed it for system apps. Is there any >> specific reason?? > > They don't need it currently on any nexus device. However oems may have > system apps that access this location, and thus their device policy takes > care of it assuming no never allows are in place. >> >> >> >> Thanks. >> >> ________________________________ >> This email message is for the sole use of the intended recipient(s) and >> may contain confidential information. Any unauthorized review, use, >> disclosure or distribution is prohibited. If you are not the intended >> recipient, please contact the sender by reply email and destroy all copies >> of the original message. >> ________________________________ >> >> _______________________________________________ >> Seandroid-list mailing list >> [email protected] >> To unsubscribe, send email to [email protected]. >> To get help, send an email containing "help" to >> [email protected]. > > > _______________________________________________ > Seandroid-list mailing list > [email protected] > To unsubscribe, send email to [email protected]. > To get help, send an email containing "help" to > [email protected]. _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
