From 8fb4cb8bc20b999d69210f6fc6b552c6e22b8e09 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Mon, 19 Dec 2016 13:45:31 -0800
Subject: [PATCH] priv_app.te: drop app_data_file:file execute_no_trans;

auditallow (added in commit 758e6b36784d1a707c8b2813f89f1edc023d59c8)
has been in place for about 2 weeks now, and no hits. Remove
execute_no_trans.

The net effect of this change is that priv_apps won't be able to exec()
a file from their home directory, but dlopen() and friends will still
work.

Test: Compiles and boots successfully.
Test: No auditallow messages received via SELinux denial collection.
Change-Id: I60fcdc260d12e1bcc2355ca4dd912de7e6d0a145
---
 public/priv_app.te | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/public/priv_app.te b/public/priv_app.te
index 5f9889f6f..fb73b1539 100644
--- a/public/priv_app.te
+++ b/public/priv_app.te
@@ -11,10 +11,9 @@ bluetooth_domain(priv_app)
 # webview crash handling depends on self ptrace (b/27697529, b/20150694, b/19277529#comment7)
 allow priv_app self:process ptrace;
 
-# Some apps ship with shared libraries and binaries that they write out
-# to their sandbox directory and then execute.
-allow priv_app app_data_file:file rx_file_perms;
-auditallow priv_app app_data_file:file execute_no_trans;
+# Some apps ship with shared libraries that they write out
+# to their sandbox directory and then dlopen().
+allow priv_app app_data_file:file { r_file_perms execute };
 
 allow priv_app audioserver_service:service_manager find;
 allow priv_app cameraserver_service:service_manager find;
-- 
GitLab