remove app_data_file execute Remove the ability for applications to dlopen() executable code from their home directory for newer API versions. API versions <= 28 are uneffected by this change. Bug: 112357170 Test: cts-tradefed run cts -m CtsRenderscriptTestCases Change-Id: I1d7f3a1015d54b8610d1c561f38a1a3c2bcf79e4

commit: b362474374afc402f65695252d30a008326c0eba [log] [tgz]
author: Nick Kralevich <nnk@google.com> Wed Dec 12 09:06:39 2018 -0800
committer: Nick Kralevich <nnk@google.com> Wed Dec 12 13:20:39 2018 -0800
tree: fd296458f007a565602722983b1df696ff0a0adf
parent: 0eb0a16fbdfbb986d4209c86fe0261db35129c01 [diff] [blame]
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 4935f33..92fd325 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te

@@ -22,7 +22,7 @@
 # Some apps ship with shared libraries and binaries that they write out
 # to their sandbox directory and then execute.
 allow ephemeral_app privapp_data_file:file { r_file_perms execute };
-allow ephemeral_app app_data_file:file     { r_file_perms execute };
+allow ephemeral_app app_data_file:file r_file_perms;
 
 # Allow the renderscript compiler to be run.
 domain_auto_trans(ephemeral_app, rs_exec, rs)
commit	b362474374afc402f65695252d30a008326c0eba	[log] [tgz]
author	Nick Kralevich <nnk@google.com>	Wed Dec 12 09:06:39 2018 -0800
committer	Nick Kralevich <nnk@google.com>	Wed Dec 12 13:20:39 2018 -0800
tree	fd296458f007a565602722983b1df696ff0a0adf
parent	0eb0a16fbdfbb986d4209c86fe0261db35129c01 [diff] [blame]