auditallow app_data_file execute
am: 4738b93db2
Change-Id: I4278bd3d4e7786be716324d1817a81b6c19eec2e
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index f28d28f..f75a87d 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -23,6 +23,12 @@
# to their sandbox directory and then execute.
allow ephemeral_app { app_data_file privapp_data_file }:file {r_file_perms execute};
+# Executing files from an application home directory violates
+# W^X (https://en.wikipedia.org/wiki/W%5EX) constraints (loading executable code
+# from a writable file) and is an unsafe application behavior. Test to see if we
+# can get rid of it.
+auditallow ephemeral_app app_data_file:file execute;
+
# services
allow ephemeral_app audioserver_service:service_manager find;
allow ephemeral_app cameraserver_service:service_manager find;
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 11cea6e..fdda730 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -24,6 +24,12 @@
# to their sandbox directory and then execute.
allow untrusted_app_all { app_data_file privapp_data_file }:file { rx_file_perms };
+# Executing files from an application home directory violates
+# W^X (https://en.wikipedia.org/wiki/W%5EX) constraints (loading executable code
+# from a writable file) and is an unsafe application behavior. Test to see if we
+# can get rid of it.
+auditallow untrusted_app_all app_data_file:file { execute execute_no_trans };
+
# ASEC
allow untrusted_app_all asec_apk_file:file r_file_perms;
allow untrusted_app_all asec_apk_file:dir r_dir_perms;