Merge "add execmod to various app domains"

6399f40f · Nick Kralevich · Gerrit Code Review · dda7fb89 · 78706f9e · 6399f40f
Commit 6399f40f authored 10 years ago by Nick Kralevich Committed by Gerrit Code Review 10 years ago
--- a/app.te
+++ b/app.te
@@ -51,7 +51,7 @@ allow appdomain app_data_file:notdevfile_class_set create_file_perms;

 # lib subdirectory of /data/data dir is system-owned.
 allow appdomain system_data_file:dir r_dir_perms;
-allow appdomain system_data_file:file { execute execute_no_trans open };
+allow appdomain system_data_file:file { execute execute_no_trans open execmod };

 # Access to OEM provided data and apps
 allow appdomain oemfs:dir r_dir_perms;

--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -27,7 +27,7 @@ bluetooth_domain(untrusted_app)

 # Some apps ship with shared libraries and binaries that they write out
 # to their sandbox directory and then execute.
-allow untrusted_app app_data_file:file rx_file_perms;
+allow untrusted_app app_data_file:file { rx_file_perms execmod };

 allow untrusted_app tun_device:chr_file rw_file_perms;

@@ -35,7 +35,7 @@ allow untrusted_app tun_device:chr_file rw_file_perms;
 allow untrusted_app asec_apk_file:dir { getattr };
 allow untrusted_app asec_apk_file:file r_file_perms;
 # Execute libs in asec containers.
-allow untrusted_app asec_public_file:file execute;
+allow untrusted_app asec_public_file:file { execute execmod };

 # Allow the allocation and use of ptys
 # Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm