Snap for 4488012 from 473cc5e17d09911f0ffea82bbef26ca1896086a6 to oreo-cts-release
Change-Id: I4297e356217a28786ba4102c07fd631a229de6af
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index d664a50..7f22347 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -19,6 +19,10 @@
# Allow ephemeral apps to read/write files in visible storage if provided fds
allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append};
+# Some apps ship with shared libraries and binaries that they write out
+# to their sandbox directory and then execute.
+allow ephemeral_app app_data_file:file {r_file_perms execute};
+
# services
allow ephemeral_app audioserver_service:service_manager find;
allow ephemeral_app cameraserver_service:service_manager find;
@@ -36,8 +40,7 @@
### neverallow rules
###
-# Executable content should never be loaded from an ephemeral app home directory.
-neverallow ephemeral_app app_data_file:file { execute execute_no_trans };
+neverallow ephemeral_app app_data_file:file execute_no_trans;
# Receive or send uevent messages.
neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;