Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 7650669fe88f4874291c014c41d0235183d79bcf^! / . / private
commit7650669fe88f4874291c014c41d0235183d79bcf[log] [tgz]
authorChad Brubaker <cbrubaker@google.com>Wed Oct 25 12:41:11 2017 -0700
committerNick Kralevich <nnk@google.com>Mon Nov 13 13:31:42 2017 -0800
treea761ac3a9081d69e5a3ac22524fe10db17a9bb59
parent4bf3b5e95c8026ea72c86749c24ecf5bef06cca3 [diff]
Allow Instant/V2 apps to load code from /data/data

This restriction causes issues with dynamite.

Since untrusted_v2_app was about enforcing this constraint put installed
v2 applications back into the normal untrusted_app domain.

Bug: 64806320
Test: Manual test with app using dynamite module

(cherrypicked from commit fe836817942f21eaf6a33f137ea56eb1329d29fe)

Change-Id: I3abf3ade64aaf689039a515de642759dd39ae6f7

diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index eeb022b..7694739 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te

@@ -19,6 +19,10 @@
 # Allow ephemeral apps to read/write files in visible storage if provided fds
 allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append};
 
+# Some apps ship with shared libraries and binaries that they write out
+# to their sandbox directory and then execute.
+allow ephemeral_app app_data_file:file {r_file_perms execute};
+
 # services
 allow ephemeral_app audioserver_service:service_manager find;
 allow ephemeral_app cameraserver_service:service_manager find;
@@ -35,8 +39,7 @@
 ### neverallow rules
 ###
 
-# Executable content should never be loaded from an ephemeral app home directory.
-neverallow ephemeral_app app_data_file:file { execute execute_no_trans };
+neverallow ephemeral_app app_data_file:file execute_no_trans;
 
 # Receive or send uevent messages.
 neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;

diff --git a/private/seapp_contexts b/private/seapp_contexts
index dc7e389..a97fc70 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts

@@ -105,7 +105,6 @@
 user=_app seinfo=media domain=mediaprovider name=android.process.media type=app_data_file levelFrom=user
 user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
 user=_app isV2App=true isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=user
-user=_app isV2App=true domain=untrusted_v2_app type=app_data_file levelFrom=user
 user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user
 user=_app minTargetSdkVersion=26 domain=untrusted_app type=app_data_file levelFrom=user
 user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user