Do not allow priv_apps to scan all exec files Bug: 36463595 Test: sailfish boots without new denials Change-Id: I4271a293b91ab262dddd4d40220cd7daaff53bf2 Signed-off-by: Sandeep Patil <sspatil@google.com> (cherry picked from commit b2586825e1ce92d637754b4c40e4d5edfd50a1a6)

commit: 0b9432023d7e29b802cfc41be259de3554b26efb [log] [tgz]
author: Sandeep Patil <sspatil@google.com> Thu Apr 13 08:53:45 2017 -0700
committer: Sandeep Patil <sspatil@google.com> Thu Apr 13 16:32:34 2017 -0700
tree: ff8629bf57823f0cef8c121a5c2ab7fb6acf8594
parent: 46f9c124b463c09f3f3990b71c253f2233a7f16a [diff]
diff --git a/private/priv_app.te b/private/priv_app.te
index 4ce142f..ad8ab46 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te

@@ -72,9 +72,6 @@
   allow priv_app perfprofd_data_file:dir r_dir_perms;
 ')
 
-# Allow GMS core to scan executables on the system partition
-allow priv_app exec_type:file { getattr read open };
-
 # For AppFuse.
 allow priv_app vold:fd use;
 allow priv_app fuse_device:chr_file { read write };
commit	0b9432023d7e29b802cfc41be259de3554b26efb	[log] [tgz]
author	Sandeep Patil <sspatil@google.com>	Thu Apr 13 08:53:45 2017 -0700
committer	Sandeep Patil <sspatil@google.com>	Thu Apr 13 16:32:34 2017 -0700
tree	ff8629bf57823f0cef8c121a5c2ab7fb6acf8594
parent	46f9c124b463c09f3f3990b71c253f2233a7f16a [diff]