From 4738b93db250175f0915cee2f08ab01aaf8d28f9 Mon Sep 17 00:00:00 2001 From: Nick Kralevich Date: Mon, 6 Aug 2018 14:48:53 -0700 Subject: [PATCH] auditallow app_data_file execute Executing files from an application home directory violates W^X (https://en.wikipedia.org/wiki/W%5EX) constraints (loading executable code from a writable file) and is an unsafe application behavior. Test to see if we can get rid of it and establish some baseline metrics. Test: device boots and no obvious problems. Change-Id: I756c281fcbf750821307327642cc0d06605951b0 --- private/ephemeral_app.te | 6 ++++++ private/untrusted_app_all.te | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te index f28d28f04..f75a87dd2 100644 --- a/private/ephemeral_app.te +++ b/private/ephemeral_app.te @@ -23,6 +23,12 @@ allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr # to their sandbox directory and then execute. allow ephemeral_app { app_data_file privapp_data_file }:file {r_file_perms execute}; +# Executing files from an application home directory violates +# W^X (https://en.wikipedia.org/wiki/W%5EX) constraints (loading executable code +# from a writable file) and is an unsafe application behavior. Test to see if we +# can get rid of it. +auditallow ephemeral_app app_data_file:file execute; + # services allow ephemeral_app audioserver_service:service_manager find; allow ephemeral_app cameraserver_service:service_manager find; diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te index 11cea6ea2..fdda73031 100644 --- a/private/untrusted_app_all.te +++ b/private/untrusted_app_all.te @@ -24,6 +24,12 @@ # to their sandbox directory and then execute. allow untrusted_app_all { app_data_file privapp_data_file }:file { rx_file_perms }; +# Executing files from an application home directory violates +# W^X (https://en.wikipedia.org/wiki/W%5EX) constraints (loading executable code +# from a writable file) and is an unsafe application behavior. Test to see if we +# can get rid of it. +auditallow untrusted_app_all app_data_file:file { execute execute_no_trans }; + # ASEC allow untrusted_app_all asec_apk_file:file r_file_perms; allow untrusted_app_all asec_apk_file:dir r_dir_perms;