From 865390312d11858e4390e563374fd0f3e804ebb1 Mon Sep 17 00:00:00 2001
From: Jiyong Park <jiyong@google.com>
Date: Tue, 16 May 2017 18:13:34 +0900
Subject: [PATCH] sepolicy: allow apps to execute libs embedded inside vendor
 apk

Currently, some jni libs in /vendor/lib are allowed to be executed
in java process by labelling them as same_process_hal_file. This is
wrong because those jni libs are not in fact same process HALs.

After b/37481404, those jni libs for vendor apks are embedded inside the
apk just like downloaded apks.

In order to make this possible, appdomain is allowed to execute
vendor_app_file. Note that allowing this is not a Treble violation because
vendor_app_file is Java and JNI code only. Native libraries in
/vendor/lib are still prevented from being loaded in apps except for
those are labeled as same_process_hal_file AND are loaded via the
'sphal' namespace.

Bug: 37481404
Test: Phone application does not crash.
Change-Id: Ifaece2f05d0b20e28c4b1c0847f5ea0bb28ade02
---
 private/app.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/private/app.te b/private/app.te
index 309d27cd8..4b9d87d4b 100644
--- a/private/app.te
+++ b/private/app.te
@@ -114,6 +114,7 @@ full_treble_only(`
 # Allow apps access to /vendor/app except for privileged
 # apps which cannot be in /vendor.
 r_dir_file({ appdomain -ephemeral_app -untrusted_v2_app }, vendor_app_file)
+allow { appdomain -ephemeral_app -untrusted_v2_app } vendor_app_file:file execute;
 
 # Allow apps access to /vendor/overlay
 r_dir_file(appdomain, vendor_overlay_file)
-- 
GitLab