From 6a1e6a9c525fc3a6b422b329d9e3e852cc853080 Mon Sep 17 00:00:00 2001
From: Ed Coyne <edcoyne@google.com>
Date: Tue, 15 Aug 2017 13:19:11 -0700
Subject: [PATCH] Allow sepolicies granting bootanim exec on /oem.

Iot would like to allow bootanim to load libraries from /oem but in order for
device-specfic sepolicies to grant exec this global restriction needs to
be relaxed.

Bug: 37992717
Test: Tested with Iot sepolicies in effect and bootanim can exec.
Change-Id: I6462bf510562eb3fb06304e50b68fba05d37b285
---
 public/domain.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/public/domain.te b/public/domain.te
index 5b1f1a889..95b18c92b 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -366,6 +366,7 @@ neverallow {
 neverallow {
     domain
     -appdomain # for oemfs
+    -bootanim # for oemfs
     -recovery # for /tmp/update_binary in tmpfs
 } { fs_type -rootfs }:file execute;
 # Files from cache should never be executed
-- 
GitLab