From ef7b21093706a140a2c3e6121cc7e47230c87b14 Mon Sep 17 00:00:00 2001
From: Sandeep Patil <sspatil@google.com>
Date: Fri, 28 Apr 2017 13:17:26 -0700
Subject: [PATCH] untrusted_apps: allow untrusted_apps to execute from
 /vendor/app

The typical use case is where vendor apps which run as untrusted apps
use libraries that are packaged withing the apk

Bug: 37753883
Test: Tested by runnig pre-installed app that packages a library from
      /vendor/app

Change-Id: I445144e37e49e531f4f43b13f34d6f2e78d7a3cf
Signed-off-by: Sandeep Patil <sspatil@google.com>
---
 private/untrusted_app_all.te | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index bf9593697..fc80129a7 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -96,3 +96,11 @@ allow untrusted_app_all sysfs_hwrandom:file r_file_perms;
 allow untrusted_app_all preloads_media_file:dir r_dir_perms;
 allow untrusted_app_all preloads_media_file:file r_file_perms;
 allow untrusted_app_all preloads_data_file:dir search;
+
+# Allow untrusted apps read / execute access to /vendor/app for there can
+# be pre-installed vendor apps that package a library within themselves.
+# TODO (b/37784178) Consider creating  a special type for /vendor/app installed
+# apps.
+allow untrusted_app_all vendor_app_file:dir { open getattr read search };
+allow untrusted_app_all vendor_app_file:file { open getattr read execute };
+allow untrusted_app_all vendor_app_file:lnk_file { open getattr read };
-- 
GitLab