diff options
-rw-r--r-- | app.te | 2 | ||||
-rw-r--r-- | untrusted_app.te | 4 |
2 files changed, 5 insertions, 1 deletions
@@ -30,7 +30,7 @@ binder_call(appdomain, surfaceflinger) # App sandbox file accesses. allow appdomain app_data_file:dir create_dir_perms; -allow appdomain app_data_file:notdevfile_class_set { create_file_perms execute }; +allow appdomain app_data_file:notdevfile_class_set create_file_perms; # lib subdirectory of /data/data dir is system-owned. allow appdomain system_data_file:dir r_dir_perms; diff --git a/untrusted_app.te b/untrusted_app.te index bdc9417..d7c053d 100644 --- a/untrusted_app.te +++ b/untrusted_app.te @@ -15,6 +15,10 @@ app_domain(untrusted_app) net_domain(untrusted_app) bluetooth_domain(untrusted_app) +# Some apps ship with shared libraries and binaries that they write out +# to their sandbox directory and then execute. +allow untrusted_app app_data_file:file rx_file_perms; + allow untrusted_app tun_device:chr_file rw_file_perms; # Internal SDCard rw access. |