Skip to content
Snippets Groups Projects
Commit 57475e5e authored by Nick Kralevich's avatar Nick Kralevich
Browse files

priv_app.te: Drop auditallow app_data_file:file execute 

This functionality is being used by priv_apps shipped as part of
Android. Don't drop execute_no_trans as we haven't seen any denials here
yet.

Addresses the following auditallow messages:

avc: granted { execute } for comm="GELServices-0"
path="/data/data/com.google.android.googlequicksearchbox/files/velour/dex_cache/Ji1opKyKASKEOKNQUu1QyWw_1.jar/Ji1opKyKASKEOKNQUu1QyWw_1.dex"
dev="dm-2" ino=1196939 scontext=u:r:priv_app:s0:c512,c768
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file

avc: granted { execute } for comm="CTION_IDLE_MODE"
path="/data/data/com.google.android.gms/snet/dalvik-cache/snet.dex"
dev="dm-2" ino=1114262 scontext=u:r:priv_app:s0:c512,c768
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file

avc: granted { execute } for comm="lowpool[3]"
path="/data/data/com.google.android.gms/files/libAppDataSearchExt_arm64_v8a.so"
dev="dm-2" ino=1688320 scontext=u:r:priv_app:s0:c512,c768
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file

avc: granted { execute } for comm="Binder:9196_2"
path="/data/data/com.google.android.gms/app_dg_cache/1FECE961A655634046D6AB5E18FE6F74212FBEA6/lib/libdC14BB7282EA1.so"
dev="dm-2" ino=1893474 scontext=u:r:priv_app:s0:c512,c768
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file

avc: granted { execute } for comm="Binder:13170_1"
path="/data/data/com.google.android.gms/app_fb/f.dex" dev="dm-2"
ino=1810720 scontext=u:r:priv_app:s0:c512,c768
tcontext=u:object_r:app_data_file:s0:c512,c768 tclass=file

Test: policy compiles.
Change-Id: I63358697b07c8f620b999e666791f4f385bab776
parent 23fdf03c
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 1 addition and 1 deletion
public/priv_app.te
+ 1
1
View file @ 57475e5e
...@@ -14,7 +14,7 @@ allow priv_app self:process ptrace; ...@@ -14,7 +14,7 @@ allow priv_app self:process ptrace;
# Some apps ship with shared libraries and binaries that they write out # Some apps ship with shared libraries and binaries that they write out
# to their sandbox directory and then execute. # to their sandbox directory and then execute.
allow priv_app app_data_file:file rx_file_perms; allow priv_app app_data_file:file rx_file_perms;
auditallow priv_app app_data_file:file { execute execute_no_trans }; auditallow priv_app app_data_file:file execute_no_trans;
# android.process.media uses /dev/mtp_usb # android.process.media uses /dev/mtp_usb
allow priv_app mtp_device:chr_file rw_file_perms; allow priv_app mtp_device:chr_file rw_file_perms;
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment