Coalesce rules for allowing execution of shared objects by app domains.
Change-Id: I809738e7de038ad69905a77ea71fda4f25035d09
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
diff --git a/app.te b/app.te
index e305e0e..4f5c5db 100644
--- a/app.te
+++ b/app.te
@@ -69,7 +69,6 @@
# set it must be an mlstrustedsubject.
type isolated_app, domain, mlstrustedsubject;
app_domain(isolated_app)
-allow isolated_app system_data_file:file { open execute };
#
# Rules for platform app domains.
@@ -81,8 +80,6 @@
# App sdcard file accesses
allow platformappdomain sdcard_type:dir create_dir_perms;
allow platformappdomain sdcard_type:file create_file_perms;
-# System data file accesses (e.g, shared objects from the lib directory)
-allow platformappdomain system_data_file:file { execute open };
#
# Untrusted apps.
@@ -92,7 +89,6 @@
net_domain(untrusted_app)
bluetooth_domain(untrusted_app)
allow untrusted_app tun_device:chr_file rw_file_perms;
-allow untrusted_app system_data_file:file { execute open };
# Internal SDCard rw access.
bool app_internal_sdcard_rw true;
@@ -140,6 +136,7 @@
# lib subdirectory of /data/data dir is system-owned.
allow appdomain system_data_file:dir r_dir_perms;
+allow appdomain system_data_file:file { execute open };
# Read/write wallpaper file (opened by system).
allow appdomain wallpaper_file:file { read write };
