Allow apps to execute app_data_files

Fixes the following denial: <5>[28362.335293] type=1400 audit(1378991198.292:24): avc: denied { execute } for pid=1640 comm="facebook.katana" path="/data/data/com.facebook.katana/app_libs/libfb_jpegturbo.so" dev="mmcblk0p23" ino=652556 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:app_data_file:s0 tclass=file Change-Id: I4a515610149f06f0c49194feb6bc96e9b3080c12

Allow apps to execute app_data_files
a24a991d · Nick Kralevich · a2477056 · a24a991d
Commit a24a991d authored 11 years ago by Nick Kralevich
--- a/app.te
+++ b/app.te
@@ -30,7 +30,7 @@ binder_call(appdomain, surfaceflinger)

 # App sandbox file accesses.
 allow appdomain app_data_file:dir create_dir_perms;
-allow appdomain app_data_file:notdevfile_class_set create_file_perms;
+allow appdomain app_data_file:notdevfile_class_set { create_file_perms execute };

 # Read/write data files created by the platform apps if they
 # were passed to the app via binder or local IPC.  Do not allow open.