Skip to content
Snippets Groups Projects
Commit 94f9ff87 authored by Nick Kralevich's avatar Nick Kralevich
Browse files

isolated_app: remove app_data_file execute 

In commit ad891591, we allowed
isolated processes to execute files from /data/data/APPNAME.

I'm pretty sure all the necessary linker changes have been made
so that this functionality isn't required anymore. Remove the
allow rule.

This is essentially a revert of ad891591.

Change-Id: I1b073916f66f4965dfc53c0ea2b624bbb2fe8816
parent eb5b76aa
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 0 additions and 6 deletions
isolated_app.te
+ 0
6
View file @ 94f9ff87
...@@ -16,12 +16,6 @@ net_domain(isolated_app) ...@@ -16,12 +16,6 @@ net_domain(isolated_app)
# Isolated apps shouldn't be able to access the driver directly. # Isolated apps shouldn't be able to access the driver directly.
neverallow isolated_app gpu_device:file { rw_file_perms execute }; neverallow isolated_app gpu_device:file { rw_file_perms execute };
# read and write access to app_data_file is already
# granted via app.te. Allow execute.
# Needed to allow dlopen() from Chrome renderer processes.
# See b/15902433 for details.
allow isolated_app app_data_file:file execute;
# Audited locally. # Audited locally.
service_manager_local_audit_domain(isolated_app) service_manager_local_audit_domain(isolated_app)
auditallow isolated_app { auditallow isolated_app {
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment