From 94f9ff87507921b40ea5a5b1b87195b247451314 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Wed, 1 Oct 2014 16:03:27 -0700
Subject: [PATCH] isolated_app: remove app_data_file execute

In commit ad891591e6c5d3ffffd2633672c48ab7e263cdec, we allowed
isolated processes to execute files from /data/data/APPNAME.

I'm pretty sure all the necessary linker changes have been made
so that this functionality isn't required anymore. Remove the
allow rule.

This is essentially a revert of ad891591e6c5d3ffffd2633672c48ab7e263cdec.

Change-Id: I1b073916f66f4965dfc53c0ea2b624bbb2fe8816
---
 isolated_app.te | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/isolated_app.te b/isolated_app.te
index ae4445ab8..0629ab3cf 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -16,12 +16,6 @@ net_domain(isolated_app)
 # Isolated apps shouldn't be able to access the driver directly.
 neverallow isolated_app gpu_device:file { rw_file_perms execute };
 
-# read and write access to app_data_file is already
-# granted via app.te. Allow execute.
-# Needed to allow dlopen() from Chrome renderer processes.
-# See b/15902433 for details.
-allow isolated_app app_data_file:file execute;
-
 # Audited locally.
 service_manager_local_audit_domain(isolated_app)
 auditallow isolated_app {
-- 
GitLab