untrusted_apps: allow untrusted_apps to execute from /vendor/app

The typical use case is where vendor apps which run as untrusted apps use libraries that are packaged withing the apk Bug: 37753883 Test: Tested by runnig pre-installed app that packages a library from /vendor/app Change-Id: I445144e37e49e531f4f43b13f34d6f2e78d7a3cf Signed-off-by: Sandeep Patil <sspatil@google.com>

untrusted_apps: allow untrusted_apps to execute from /vendor/app
ef7b2109 · Sandeep Patil · 89671020 · ef7b2109
Commit ef7b2109 authored 7 years ago by Sandeep Patil
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -96,3 +96,11 @@ allow untrusted_app_all sysfs_hwrandom:file r_file_perms;
 allow untrusted_app_all preloads_media_file:dir r_dir_perms;
 allow untrusted_app_all preloads_media_file:file r_file_perms;
 allow untrusted_app_all preloads_data_file:dir search;
+
+# Allow untrusted apps read / execute access to /vendor/app for there can
+# be pre-installed vendor apps that package a library within themselves.
+# TODO (b/37784178) Consider creating  a special type for /vendor/app installed
+# apps.
+allow untrusted_app_all vendor_app_file:dir { open getattr read search };
+allow untrusted_app_all vendor_app_file:file { open getattr read execute };
+allow untrusted_app_all vendor_app_file:lnk_file { open getattr read };