Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / c255e377c5c0fbbced3b7a09f229903b6a24de93
commitc255e377c5c0fbbced3b7a09f229903b6a24de93[log] [tgz]
authorNick Kralevich <nnk@google.com>Mon Aug 22 11:13:22 2016 -0700
committerJeff Vander Stoep <jeffv@google.com>Mon Sep 12 11:28:57 2016 -0700
treece9f06574e938ae61841b45589d43801deac9e53
parent6bb6c16e85dec20c6c1a1c4fa335c49033ac8a44 [diff]
Remove platform_app from neverallow execute from /data

Apparently some manufacturers sign APKs with the platform key
which use renderscript. Renderscript works by compiling the
.so file, and placing it in the app's home directory, where the
app loads the content.

Drop platform_app from the neverallow restriction to allow partners
to add rules allowing /data execute for this class of apps.

We should revisit this in the future after we have a better
solution for apps which use renderscript.

(cherry picked from commit c55cf17a6b4a23f8ef66ff816f871d7d9e8de56a)

Bug: 29857189
Change-Id: I058a802ad5eb2a67e657b6d759a3ef4e21cbb8cc
1 file changed
tree: ce9f06574e938ae61841b45589d43801deac9e53
  1. tools/
  2. access_vectors
  3. adbd.te
  4. Android.mk
  5. app.te
  6. atrace.te
  7. attributes
  8. audioserver.te
  9. autoplay_app.te
  10. binderservicedomain.te
  11. blkid.te
  12. blkid_untrusted.te
  13. bluetooth.te
  14. bluetoothdomain.te
  15. boot_control_hal.te
  16. bootanim.te
  17. bootstat.te
  18. cameraserver.te
  19. clatd.te
  20. CleanSpec.mk
  21. debuggerd.te
  22. device.te
  23. dex2oat.te
  24. dhcp.te
  25. dnsmasq.te
  26. domain.te
  27. domain_deprecated.te
  28. drmserver.te
  29. dumpstate.te
  30. file.te
  31. file_contexts
  32. file_contexts_asan
  33. fingerprintd.te
  34. fs_use
  35. fsck.te
  36. fsck_untrusted.te
  37. gatekeeperd.te
  38. genfs_contexts
  39. global_macros
  40. hci_attach.te
  41. healthd.te
  42. hostapd.te
  43. idmap.te
  44. init.te
  45. initial_sid_contexts
  46. initial_sids
  47. inputflinger.te
  48. install_recovery.te
  49. installd.te
  50. ioctl_defines
  51. ioctl_macros
  52. isolated_app.te
  53. kernel.te
  54. keys.conf
  55. keystore.te
  56. lmkd.te
  57. logd.te
  58. mac_permissions.xml
  59. mdnsd.te
  60. mediacodec.te
  61. mediadrmserver.te
  62. mediaextractor.te
  63. mediaserver.te
  64. mls
  65. mls_macros
  66. MODULE_LICENSE_PUBLIC_DOMAIN
  67. mtp.te
  68. net.te
  69. netd.te
  70. neverallow_macros
  71. nfc.te
  72. NOTICE
  73. otapreopt_chroot.te
  74. perfprofd.te
  75. platform_app.te
  76. policy_capabilities
  77. port_contexts
  78. postinstall.te
  79. postinstall_dexopt.te
  80. ppp.te
  81. priv_app.te
  82. profman.te
  83. property.te
  84. property_contexts
  85. racoon.te
  86. radio.te
  87. README
  88. recovery.te
  89. recovery_persist.te
  90. recovery_refresh.te
  91. rild.te
  92. roles
  93. runas.te
  94. sdcardd.te
  95. seapp_contexts
  96. security_classes
  97. service.te
  98. service_contexts
  99. servicemanager.te
  100. sgdisk.te
  101. shared_relro.te
  102. shell.te
  103. slideshow.te
  104. su.te
  105. surfaceflinger.te
  106. system_app.te
  107. system_server.te
  108. te_macros
  109. tee.te
  110. toolbox.te
  111. tzdatacheck.te
  112. ueventd.te
  113. uncrypt.te
  114. untrusted_app.te
  115. update_engine.te
  116. update_engine_common.te
  117. update_verifier.te
  118. users
  119. vdc.te
  120. vold.te
  121. watchdogd.te
  122. wificond.te
  123. wpa.te
  124. zygote.te