priv_app.te: drop app_data_file:file execute_no_trans;

auditallow (added in commit 758e6b36) has been in place for about 2 weeks now, and no hits. Remove execute_no_trans. The net effect of this change is that priv_apps won't be able to exec() a file from their home directory, but dlopen() and friends will still work. Test: Compiles and boots successfully. Test: No auditallow messages received via SELinux denial collection. Change-Id: I60fcdc260d12e1bcc2355ca4dd912de7e6d0a145

priv_app.te: drop app_data_file:file execute_no_trans;
auditallow (added in commit 758e6b36) has been in place for about 2 weeks now, and no hits. Remove execute_no_trans. The net effect of this change is that priv_apps won't be able to exec() a file from their home directory, but dlopen() and friends will still work. Test: Compiles and boots successfully. Test: No auditallow messages received via SELinux denial collection. Change-Id: I60fcdc260d12e1bcc2355ca4dd912de7e6d0a145
8fb4cb8b · Nick Kralevich · c82cf89f · 8fb4cb8b
Commit 8fb4cb8b authored 8 years ago by Nick Kralevich
--- a/public/priv_app.te
+++ b/public/priv_app.te
@@ -11,10 +11,9 @@ bluetooth_domain(priv_app)
 # webview crash handling depends on self ptrace (b/27697529, b/20150694, b/19277529#comment7)
 allow priv_app self:process ptrace;
-# Some apps ship with shared libraries and binaries that they write out
+# Some apps ship with shared libraries that they write out
-# to their sandbox directory and then execute.
+# to their sandbox directory and then dlopen().
-allow priv_app app_data_file:file rx_file_perms;
+allow priv_app app_data_file:file { r_file_perms execute };
-auditallow priv_app app_data_file:file execute_no_trans;
 allow priv_app audioserver_service:service_manager find;
 allow priv_app cameraserver_service:service_manager find;