From 473cc5e17d09911f0ffea82bbef26ca1896086a6 Mon Sep 17 00:00:00 2001
From: Chad Brubaker <cbrubaker@google.com>
Date: Wed, 25 Oct 2017 12:41:11 -0700
Subject: [PATCH] DO NOT MERGE: Allow Ephemeral apps to load code from
 /data/data for 8.0

This restriction causes issues with dynamite.

Since untrusted_v2_app was about enforcing this constraint put installed
v2 applications back into the normal untrusted_app domain.

CP from commit fe836817942f21eaf6a33f137ea56eb1329d29fe & adapts for 8.0

Bug: 64806320
Bug: 69057841
Test: make cts

Change-Id: I3abf3ade64aaf689039a515de642759dd39ae6f7
---
 private/ephemeral_app.te | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index d664a5027..7f223478e 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -19,6 +19,10 @@ app_domain(ephemeral_app)
 # Allow ephemeral apps to read/write files in visible storage if provided fds
 allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append};
 
+# Some apps ship with shared libraries and binaries that they write out
+# to their sandbox directory and then execute.
+allow ephemeral_app app_data_file:file {r_file_perms execute};
+
 # services
 allow ephemeral_app audioserver_service:service_manager find;
 allow ephemeral_app cameraserver_service:service_manager find;
@@ -36,8 +40,7 @@ allow ephemeral_app ephemeral_app_api_service:service_manager find;
 ### neverallow rules
 ###
 
-# Executable content should never be loaded from an ephemeral app home directory.
-neverallow ephemeral_app app_data_file:file { execute execute_no_trans };
+neverallow ephemeral_app app_data_file:file execute_no_trans;
 
 # Receive or send uevent messages.
 neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;
-- 
GitLab