Merge "init.te: only allow wifi tracing restorecon twice"
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index bb95b1f..e576d27 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -42,6 +42,3 @@
# https://github.com/strazzere/anti-emulator/blob/master/AntiEmulator/src/diff/strazzere/anti/emulator/FindEmulator.java
# This will go away in a future Android release
allow untrusted_app_25 proc_tty_drivers:file r_file_perms;
-
-# Legacy text relocations
-allow untrusted_app_25 { apk_data_file app_data_file asec_public_file }:file execmod;
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 7d4737d..6534412 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -17,15 +17,18 @@
### seapp_contexts.
###
+# Legacy text relocations
+allow untrusted_app_all apk_data_file:file execmod;
+
# Some apps ship with shared libraries and binaries that they write out
# to their sandbox directory and then execute.
-allow untrusted_app_all app_data_file:file rx_file_perms;
+allow untrusted_app_all app_data_file:file { rx_file_perms execmod };
# ASEC
allow untrusted_app_all asec_apk_file:file r_file_perms;
allow untrusted_app_all asec_apk_file:dir r_dir_perms;
# Execute libs in asec containers.
-allow untrusted_app_all asec_public_file:file execute;
+allow untrusted_app_all asec_public_file:file { execute execmod };
# Used by Finsky / Android "Verify Apps" functionality when
# running "adb install foo.apk".
diff --git a/public/domain.te b/public/domain.te
index 9ee41ab..b8004ac 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -499,7 +499,7 @@
# prohibit non-zygote spawned processes from using shared libraries
# with text relocations. b/20013628 .
-neverallow { domain -untrusted_app_25 } file_type:file execmod;
+neverallow { domain -untrusted_app_all } file_type:file execmod;
neverallow { domain -init } proc:{ file dir } mounton;