Merge "Revert "auditallow app_data_file execute""

b90595cb · Treehugger Robot · Gerrit Code Review · ad3eb4e2 · c47e149a · b90595cb
Commit b90595cb authored 6 years ago by Treehugger Robot Committed by Gerrit Code Review 6 years ago
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -23,12 +23,6 @@ allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr
 # to their sandbox directory and then execute.
 allow ephemeral_app { app_data_file privapp_data_file }:file {r_file_perms execute};

-# Executing files from an application home directory violates
-# W^X (https://en.wikipedia.org/wiki/W%5EX) constraints (loading executable code
-# from a writable file) and is an unsafe application behavior. Test to see if we
-# can get rid of it.
-auditallow ephemeral_app app_data_file:file execute;
-
 # services
 allow ephemeral_app audioserver_service:service_manager find;
 allow ephemeral_app cameraserver_service:service_manager find;

--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -24,12 +24,6 @@
 # to their sandbox directory and then execute.
 allow untrusted_app_all { app_data_file privapp_data_file }:file { rx_file_perms };

-# Executing files from an application home directory violates
-# W^X (https://en.wikipedia.org/wiki/W%5EX) constraints (loading executable code
-# from a writable file) and is an unsafe application behavior. Test to see if we
-# can get rid of it.
-auditallow untrusted_app_all app_data_file:file { execute execute_no_trans };
-
 # ASEC
 allow untrusted_app_all asec_apk_file:file r_file_perms;
 allow untrusted_app_all asec_apk_file:dir r_dir_perms;