public/priv_app.te · 57475e5e931b6ef604e8f1ac6f3fc06b8c10567e · Werner Sembach / AndroidSystemSEPolicy

8 years ago

priv_app.te: Drop auditallow app_data_file:file execute · 57475e5e

Nick Kralevich authored 8 years ago

This functionality is being used by priv_apps shipped as part of
Android. Don't drop execute_no_trans as we haven't seen any denials here
yet.

Addresses the following auditallow messages:

avc: granted { execute } for comm="GELServices-0"
path="/data/data/com.google.android.googlequicksearchbox/files/velour/dex_cache/Ji1opKyKASKEOKNQUu1QyWw_1.jar/Ji1opKyKASKEOKNQUu1QyWw_1.dex"
dev="dm-2" ino=1196939 scontext=u:r:priv_app:s0:c512,c768
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file

avc: granted { execute } for comm="CTION_IDLE_MODE"
path="/data/data/com.google.android.gms/snet/dalvik-cache/snet.dex"
dev="dm-2" ino=1114262 scontext=u:r:priv_app:s0:c512,c768
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file

avc: granted { execute } for comm="lowpool[3]"
path="/data/data/com.google.android.gms/files/libAppDataSearchExt_arm64_v8a.so"
dev="dm-2" ino=1688320 scontext=u:r:priv_app:s0:c512,c768
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file

avc: granted { execute } for comm="Binder:9196_2"
path="/data/data/com.google.android.gms/app_dg_cache/1FECE961A655634046D6AB5E18FE6F74212FBEA6/lib/libdC14BB7282EA1.so"
dev="dm-2" ino=1893474 scontext=u:r:priv_app:s0:c512,c768
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file

avc: granted { execute } for comm="Binder:13170_1"
path="/data/data/com.google.android.gms/app_fb/f.dex" dev="dm-2"
ino=1810720 scontext=u:r:priv_app:s0:c512,c768
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file

Test: policy compiles.
Change-Id: I63358697b07c8f620b999e666791f4f385bab776

57475e5e

History

priv_app.te: Drop auditallow app_data_file:file execute

Nick Kralevich authored 8 years ago

This functionality is being used by priv_apps shipped as part of
Android. Don't drop execute_no_trans as we haven't seen any denials here
yet.

Addresses the following auditallow messages:

avc: granted { execute } for comm="GELServices-0"
path="/data/data/com.google.android.googlequicksearchbox/files/velour/dex_cache/Ji1opKyKASKEOKNQUu1QyWw_1.jar/Ji1opKyKASKEOKNQUu1QyWw_1.dex"
dev="dm-2" ino=1196939 scontext=u:r:priv_app:s0:c512,c768
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file

avc: granted { execute } for comm="CTION_IDLE_MODE"
path="/data/data/com.google.android.gms/snet/dalvik-cache/snet.dex"
dev="dm-2" ino=1114262 scontext=u:r:priv_app:s0:c512,c768
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file

avc: granted { execute } for comm="lowpool[3]"
path="/data/data/com.google.android.gms/files/libAppDataSearchExt_arm64_v8a.so"
dev="dm-2" ino=1688320 scontext=u:r:priv_app:s0:c512,c768
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file

avc: granted { execute } for comm="Binder:9196_2"
path="/data/data/com.google.android.gms/app_dg_cache/1FECE961A655634046D6AB5E18FE6F74212FBEA6/lib/libdC14BB7282EA1.so"
dev="dm-2" ino=1893474 scontext=u:r:priv_app:s0:c512,c768
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file

avc: granted { execute } for comm="Binder:13170_1"
path="/data/data/com.google.android.gms/app_fb/f.dex" dev="dm-2"
ino=1810720 scontext=u:r:priv_app:s0:c512,c768
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file

Test: policy compiles.
Change-Id: I63358697b07c8f620b999e666791f4f385bab776