sepolicy: allow apps to execute libs embedded inside vendor apk Currently, some jni libs in /vendor/lib are allowed to be executed in java process by labelling them as same_process_hal_file. This is wrong because those jni libs are not in fact same process HALs. After b/37481404, those jni libs for vendor apks are embedded inside the apk just like downloaded apks. In order to make this possible, appdomain is allowed to execute vendor_app_file. Note that allowing this is not a Treble violation because vendor_app_file is Java and JNI code only. Native libraries in /vendor/lib are still prevented from being loaded in apps except for those are labeled as same_process_hal_file AND are loaded via the 'sphal' namespace. Bug: 37481404 Test: Phone application does not crash. Change-Id: Ifaece2f05d0b20e28c4b1c0847f5ea0bb28ade02

commit: 865390312d11858e4390e563374fd0f3e804ebb1 [log] [tgz]
author: Jiyong Park <jiyong@google.com> Tue May 16 18:13:34 2017 +0900
committer: Jiyong Park <jiyong@google.com> Wed May 17 10:18:34 2017 +0900
tree: 86f16fdb562c2114305f06dc62c229880f24724e
parent: 2dd9ae33f7827dd372c2c698f1aec457e5be8a9e [diff]
diff --git a/private/app.te b/private/app.te
index 309d27c..4b9d87d 100644
--- a/private/app.te
+++ b/private/app.te

@@ -114,6 +114,7 @@
 # Allow apps access to /vendor/app except for privileged
 # apps which cannot be in /vendor.
 r_dir_file({ appdomain -ephemeral_app -untrusted_v2_app }, vendor_app_file)
+allow { appdomain -ephemeral_app -untrusted_v2_app } vendor_app_file:file execute;
 
 # Allow apps access to /vendor/overlay
 r_dir_file(appdomain, vendor_overlay_file)
commit	865390312d11858e4390e563374fd0f3e804ebb1	[log] [tgz]
author	Jiyong Park <jiyong@google.com>	Tue May 16 18:13:34 2017 +0900
committer	Jiyong Park <jiyong@google.com>	Wed May 17 10:18:34 2017 +0900
tree	86f16fdb562c2114305f06dc62c229880f24724e
parent	2dd9ae33f7827dd372c2c698f1aec457e5be8a9e [diff]