Snap for 4488012 from 473cc5e17d09911f0ffea82bbef26ca1896086a6 to oreo-cts-release Change-Id: I4297e356217a28786ba4102c07fd631a229de6af

commit: 40dcb852998e9717736e9b6614cba867ed0d392a [log] [tgz]
author: android-build-prod (mdb) <android-build-team-robot@google.com> Wed Dec 06 20:51:18 2017 +0000
committer: android-build-prod (mdb) <android-build-team-robot@google.com> Wed Dec 06 20:51:18 2017 +0000
tree: be5aba12ff6ed0fa5deea70137ee6179561c3921
parent: abfb632266fc411883083e222feac992b0d69b7a [diff]
parent: 473cc5e17d09911f0ffea82bbef26ca1896086a6 [diff]
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index d664a50..7f22347 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te

@@ -19,6 +19,10 @@
 # Allow ephemeral apps to read/write files in visible storage if provided fds
 allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append};
 
+# Some apps ship with shared libraries and binaries that they write out
+# to their sandbox directory and then execute.
+allow ephemeral_app app_data_file:file {r_file_perms execute};
+
 # services
 allow ephemeral_app audioserver_service:service_manager find;
 allow ephemeral_app cameraserver_service:service_manager find;
@@ -36,8 +40,7 @@
 ### neverallow rules
 ###
 
-# Executable content should never be loaded from an ephemeral app home directory.
-neverallow ephemeral_app app_data_file:file { execute execute_no_trans };
+neverallow ephemeral_app app_data_file:file execute_no_trans;
 
 # Receive or send uevent messages.
 neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;
commit	40dcb852998e9717736e9b6614cba867ed0d392a	[log] [tgz]
author	android-build-prod (mdb) <android-build-team-robot@google.com>	Wed Dec 06 20:51:18 2017 +0000
committer	android-build-prod (mdb) <android-build-team-robot@google.com>	Wed Dec 06 20:51:18 2017 +0000
tree	be5aba12ff6ed0fa5deea70137ee6179561c3921
parent	abfb632266fc411883083e222feac992b0d69b7a [diff]
parent	473cc5e17d09911f0ffea82bbef26ca1896086a6 [diff]