From 0b9432023d7e29b802cfc41be259de3554b26efb Mon Sep 17 00:00:00 2001
From: Sandeep Patil <sspatil@google.com>
Date: Thu, 13 Apr 2017 08:53:45 -0700
Subject: [PATCH] Do not allow priv_apps to scan all exec files

Bug: 36463595
Test: sailfish boots without new denials

Change-Id: I4271a293b91ab262dddd4d40220cd7daaff53bf2
Signed-off-by: Sandeep Patil <sspatil@google.com>
(cherry picked from commit b2586825e1ce92d637754b4c40e4d5edfd50a1a6)
---
 private/priv_app.te | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/private/priv_app.te b/private/priv_app.te
index 4ce142f0c..ad8ab46e9 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -72,9 +72,6 @@ userdebug_or_eng(`
   allow priv_app perfprofd_data_file:dir r_dir_perms;
 ')
 
-# Allow GMS core to scan executables on the system partition
-allow priv_app exec_type:file { getattr read open };
-
 # For AppFuse.
 allow priv_app vold:fd use;
 allow priv_app fuse_device:chr_file { read write };
-- 
GitLab