remove app_data_file execute Remove the ability for applications to dlopen() executable code from their home directory for newer API versions. API versions <= 28 are uneffected by this change. Bug: 112357170 Test: cts-tradefed run cts -m CtsRenderscriptTestCases Change-Id: I1d7f3a1015d54b8610d1c561f38a1a3c2bcf79e4

commit: b362474374afc402f65695252d30a008326c0eba [log] [tgz]
author: Nick Kralevich <nnk@google.com> Wed Dec 12 09:06:39 2018 -0800
committer: Nick Kralevich <nnk@google.com> Wed Dec 12 13:20:39 2018 -0800
tree: fd296458f007a565602722983b1df696ff0a0adf
parent: 0eb0a16fbdfbb986d4209c86fe0261db35129c01 [diff] [blame]
diff --git a/private/runas_app.te b/private/runas_app.te
index b976b91..00baa83 100644
--- a/private/runas_app.te
+++ b/private/runas_app.te

@@ -6,6 +6,7 @@
 net_domain(runas_app)
 bluetooth_domain(runas_app)
 
-# The ability to call exec() on files in the apps home directories
-# when using run-as on a debuggable app. Needed by simpleperf.
-allow runas_app app_data_file:file execute_no_trans;
+# The ability to call exec() or dlopen() on app /data/data
+# files when using run-as on a debuggable app.
+# Needed by simpleperf.
+allow runas_app app_data_file:file { execute_no_trans execute };
commit	b362474374afc402f65695252d30a008326c0eba	[log] [tgz]
author	Nick Kralevich <nnk@google.com>	Wed Dec 12 09:06:39 2018 -0800
committer	Nick Kralevich <nnk@google.com>	Wed Dec 12 13:20:39 2018 -0800
tree	fd296458f007a565602722983b1df696ff0a0adf
parent	0eb0a16fbdfbb986d4209c86fe0261db35129c01 [diff] [blame]