auditallow app_data_file execute am: 4738b93db2

am: ca8749a0b3 Change-Id: Icbde5e0e612e6fe08e17f91713518bb7e724f2b3
2018-08-06 19:19:56 -07:00 · 2018-08-06 19:19:56 -07:00 · 25f763e374
commit 25f763e374
parent 7ebdfb4b0a ca8749a0b3
2 changed files with 12 additions and 0 deletions
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@ -23,6 +23,12 @@ allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr
 # to their sandbox directory and then execute.
 allow ephemeral_app { app_data_file privapp_data_file }:file {r_file_perms execute};

+# Executing files from an application home directory violates
+# W^X (https://en.wikipedia.org/wiki/W%5EX) constraints (loading executable code
+# from a writable file) and is an unsafe application behavior. Test to see if we
+# can get rid of it.
+auditallow ephemeral_app app_data_file:file execute;
+
 # services
 allow ephemeral_app audioserver_service:service_manager find;
 allow ephemeral_app cameraserver_service:service_manager find;
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@ -24,6 +24,12 @@
 # to their sandbox directory and then execute.
 allow untrusted_app_all { app_data_file privapp_data_file }:file { rx_file_perms };

+# Executing files from an application home directory violates
+# W^X (https://en.wikipedia.org/wiki/W%5EX) constraints (loading executable code
+# from a writable file) and is an unsafe application behavior. Test to see if we
+# can get rid of it.
+auditallow untrusted_app_all app_data_file:file { execute execute_no_trans };
+
 # ASEC
 allow untrusted_app_all asec_apk_file:file r_file_perms;
 allow untrusted_app_all asec_apk_file:dir r_dir_perms;