auditallow app_data_file execute Executing files from an application home directory violates W^X (https://en.wikipedia.org/wiki/W%5EX) constraints (loading executable code from a writable file) and is an unsafe application behavior. Test to see if we can get rid of it and establish some baseline metrics. Test: device boots and no obvious problems. Change-Id: I756c281fcbf750821307327642cc0d06605951b0

commit: 4738b93db250175f0915cee2f08ab01aaf8d28f9 [log] [tgz]
author: Nick Kralevich <nnk@google.com> Mon Aug 06 14:48:53 2018 -0700
committer: Nick Kralevich <nnk@google.com> Mon Aug 06 14:49:45 2018 -0700
tree: 377b414a792464841021232cff0c2dd2355cff17
parent: 41b21ee96a94e286e6c308ff03c49b0f14d66e99 [diff] [blame]
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 11cea6e..fdda730 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te

@@ -24,6 +24,12 @@
 # to their sandbox directory and then execute.
 allow untrusted_app_all { app_data_file privapp_data_file }:file { rx_file_perms };
 
+# Executing files from an application home directory violates
+# W^X (https://en.wikipedia.org/wiki/W%5EX) constraints (loading executable code
+# from a writable file) and is an unsafe application behavior. Test to see if we
+# can get rid of it.
+auditallow untrusted_app_all app_data_file:file { execute execute_no_trans };
+
 # ASEC
 allow untrusted_app_all asec_apk_file:file r_file_perms;
 allow untrusted_app_all asec_apk_file:dir r_dir_perms;
commit	4738b93db250175f0915cee2f08ab01aaf8d28f9	[log] [tgz]
author	Nick Kralevich <nnk@google.com>	Mon Aug 06 14:48:53 2018 -0700
committer	Nick Kralevich <nnk@google.com>	Mon Aug 06 14:49:45 2018 -0700
tree	377b414a792464841021232cff0c2dd2355cff17
parent	41b21ee96a94e286e6c308ff03c49b0f14d66e99 [diff] [blame]