From ad891591e6c5d3ffffd2633672c48ab7e263cdec Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Fri, 27 Jun 2014 15:19:04 -0700
Subject: [PATCH] isolated_app: allow app_data_file execute

Chrome renderer processes dlopen() a shared library from
gmscore. Open and read on app data file is already allowed,
but execute isn't, so the dlopen() fails. This is a regression
from K, where the dlopen succeeded.

Longer term, there's questions about whether this is appropriate
behavior for an isolated app. For now, allow the behavior.
See the discussion in b/15902433 for details.

Addresses the following denial:

  I/auditd  ( 5087): type=1400 audit(0.0:76): avc:  denied  { execute } for  comm="CrRendererMain" path="/data/data/com.google.android.gms/files/libAppDataSearchExt_armeabi_v7a.so" dev="mmcblk0p28" ino=83196 scontext=u:r:isolated_app:s0 tcontext=u:object_r:app_data_file:s0 tclass=file

Bug: 15902433
Change-Id: Ie98605d43753be8c31a6fe510ef2dde0bdb52678
---
 isolated_app.te | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/isolated_app.te b/isolated_app.te
index 4745d7e39..a156838bb 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -12,3 +12,9 @@
 type isolated_app, domain;
 app_domain(isolated_app)
 net_domain(isolated_app)
+
+# read and write access to app_data_file is already
+# granted via app.te. Allow execute.
+# Needed to allow dlopen() from Chrome renderer processes.
+# See b/15902433 for details.
+allow isolated_app app_data_file:file execute;
-- 
GitLab