From a24a991dd59fe03cdc681aadcb6bbca1ffac9b7b Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Thu, 12 Sep 2013 12:12:25 -0700
Subject: [PATCH] Allow apps to execute app_data_files

Fixes the following denial:

<5>[28362.335293] type=1400 audit(1378991198.292:24): avc:  denied  { execute } for  pid=1640 comm="facebook.katana" path="/data/data/com.facebook.katana/app_libs/libfb_jpegturbo.so" dev="mmcblk0p23" ino=652556 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:app_data_file:s0 tclass=file

Change-Id: I4a515610149f06f0c49194feb6bc96e9b3080c12
---
 app.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app.te b/app.te
index aaf811a68..fd16764aa 100644
--- a/app.te
+++ b/app.te
@@ -30,7 +30,7 @@ binder_call(appdomain, surfaceflinger)
 
 # App sandbox file accesses.
 allow appdomain app_data_file:dir create_dir_perms;
-allow appdomain app_data_file:notdevfile_class_set create_file_perms;
+allow appdomain app_data_file:notdevfile_class_set { create_file_perms execute };
 
 # Read/write data files created by the platform apps if they
 # were passed to the app via binder or local IPC.  Do not allow open.
-- 
GitLab