Coalesce rules for allowing execution of shared objects by app domains.

Change-Id: I809738e7de038ad69905a77ea71fda4f25035d09 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Coalesce rules for allowing execution of shared objects by app domains.
b5f6977a · Stephen Smalley · repo sync · 9de4c692 · b5f6977a
Commit b5f6977a authored 12 years ago by Stephen Smalley Committed by repo sync 12 years ago
--- a/app.te
+++ b/app.te
@@ -69,7 +69,6 @@ bluetooth_domain(release_app)
 # set it must be an mlstrustedsubject.
 type isolated_app, domain, mlstrustedsubject;
 app_domain(isolated_app)
-allow isolated_app system_data_file:file { open execute };

 #
 # Rules for platform app domains.
@@ -81,8 +80,6 @@ allow platformappdomain platform_app_data_file:notdevfile_class_set create_file_
 # App sdcard file accesses
 allow platformappdomain sdcard_type:dir create_dir_perms;
 allow platformappdomain sdcard_type:file create_file_perms;
-# System data file accesses (e.g, shared objects from the lib directory)
-allow platformappdomain system_data_file:file { execute open };

 #
 # Untrusted apps.
@@ -92,7 +89,6 @@ app_domain(untrusted_app)
 net_domain(untrusted_app)
 bluetooth_domain(untrusted_app)
 allow untrusted_app tun_device:chr_file rw_file_perms;
-allow untrusted_app system_data_file:file { execute open };

 # Internal SDCard rw access.
 bool app_internal_sdcard_rw true;
@@ -140,6 +136,7 @@ allow appdomain platform_app_data_file:file { read write };

 # lib subdirectory of /data/data dir is system-owned.
 allow appdomain system_data_file:dir r_dir_perms;
+allow appdomain system_data_file:file { execute open };

 # Read/write wallpaper file (opened by system).
 allow appdomain wallpaper_file:file { read write };