1*e4a36f41SAndroid Build Coastguard Worker# MLS override can't be used to access private app data. 2*e4a36f41SAndroid Build Coastguard Worker 3*e4a36f41SAndroid Build Coastguard Worker# Apps should not normally be mlstrustedsubject, but if they must be 4*e4a36f41SAndroid Build Coastguard Worker# they cannot use this to access app private data files; their own app 5*e4a36f41SAndroid Build Coastguard Worker# data files must use a different label. 6*e4a36f41SAndroid Build Coastguard Worker 7*e4a36f41SAndroid Build Coastguard Workerneverallow { 8*e4a36f41SAndroid Build Coastguard Worker mlstrustedsubject 9*e4a36f41SAndroid Build Coastguard Worker -artd # compile secondary dex files 10*e4a36f41SAndroid Build Coastguard Worker -installd 11*e4a36f41SAndroid Build Coastguard Worker} { app_data_file privapp_data_file }:file ~{ read write map getattr ioctl lock append }; 12*e4a36f41SAndroid Build Coastguard Worker 13*e4a36f41SAndroid Build Coastguard Workerneverallow { 14*e4a36f41SAndroid Build Coastguard Worker mlstrustedsubject 15*e4a36f41SAndroid Build Coastguard Worker -artd # compile secondary dex files 16*e4a36f41SAndroid Build Coastguard Worker -installd 17*e4a36f41SAndroid Build Coastguard Worker} { app_data_file privapp_data_file }:dir ~{ read getattr search }; 18*e4a36f41SAndroid Build Coastguard Worker 19*e4a36f41SAndroid Build Coastguard Workerneverallow { 20*e4a36f41SAndroid Build Coastguard Worker mlstrustedsubject 21*e4a36f41SAndroid Build Coastguard Worker -artd # compile secondary dex files 22*e4a36f41SAndroid Build Coastguard Worker -installd 23*e4a36f41SAndroid Build Coastguard Worker -system_server 24*e4a36f41SAndroid Build Coastguard Worker -adbd 25*e4a36f41SAndroid Build Coastguard Worker -runas 26*e4a36f41SAndroid Build Coastguard Worker -zygote 27*e4a36f41SAndroid Build Coastguard Worker} { app_data_file privapp_data_file }:dir { read getattr search }; 28