From 758e6b36784d1a707c8b2813f89f1edc023d59c8 Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Sat, 3 Dec 2016 17:52:39 -0500
Subject: [PATCH] auditallow priv_app app_data_file execution

In general, apps shouldn't be executing data from their writable data
directories. Allowing this is a security risk and use cases for this are
almost always anti-patterns where saner alternatives are available such
as using one of the standard systems for shipping libraries (extracted
by the package manager or aligned/uncompressed in the apk) or using the
existing package system to handle plugins. It's reasonable for the
untrusted_app domain to have this (not just for backwards compatibility)
for priv_app should be held to a higher standard.

Ideally, untrusted apps would be able to opt-in to disabling this and
then the default could then be switched at a new API level. It could do
more than just hardening apps not requiring it by having documentation
explain the risks and offer alternatives to reduce 'legitimate' use. The
base system could disable it for all of the bundled untrusted apps.

Change-Id: I4efcfaf01c6b6c33c39e98c22a1934e8892e2147
---
 public/priv_app.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/public/priv_app.te b/public/priv_app.te
index 17b19cdde..e2aecfd63 100644
--- a/public/priv_app.te
+++ b/public/priv_app.te
@@ -14,6 +14,7 @@ allow priv_app self:process ptrace;
 # Some apps ship with shared libraries and binaries that they write out
 # to their sandbox directory and then execute.
 allow priv_app app_data_file:file rx_file_perms;
+auditallow priv_app app_data_file:file { execute execute_no_trans };
 
 # android.process.media uses /dev/mtp_usb
 allow priv_app mtp_device:chr_file rw_file_perms;
-- 
GitLab