remove base system app tmpfs execute

thestinger · randomhydrosol · commit 1b70770f09ea · 2021-04-10T03:38:21.000+05:30
Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
diff --git a/prebuilts/api/30.0/private/ephemeral_app.te b/prebuilts/api/30.0/private/ephemeral_app.te
@@ -70,6 +70,9 @@ allow ephemeral_app ashmem_device:chr_file rw_file_perms;
 allow ephemeral_app { ashmem_device ashmem_libcutils_device }:chr_file execute;
 auditallow ephemeral_app { ashmem_device ashmem_libcutils_device }:chr_file execute;
 
+allow ephemeral_app appdomain_tmpfs:file execute;
+auditallow ephemeral_app appdomain_tmpfs:file execute;
+
 ###
 ### neverallow rules
 ###
diff --git a/prebuilts/api/30.0/private/isolated_app.te b/prebuilts/api/30.0/private/isolated_app.te
@@ -73,6 +73,9 @@ can_profile_perf(isolated_app)
 allow isolated_app { ashmem_device ashmem_libcutils_device }:chr_file execute;
 auditallow isolated_app { ashmem_device ashmem_libcutils_device }:chr_file execute;
 
+allow isolated_app appdomain_tmpfs:file execute;
+auditallow isolated_app appdomain_tmpfs:file execute;
+
 #####
 ##### Neverallow
 #####
diff --git a/prebuilts/api/30.0/private/untrusted_app.te b/prebuilts/api/30.0/private/untrusted_app.te
@@ -27,3 +27,6 @@ auditallow untrusted_app app_data_file:file execute;
 
 allow untrusted_app { ashmem_device ashmem_libcutils_device }:chr_file execute;
 auditallow untrusted_app { ashmem_device ashmem_libcutils_device }:chr_file execute;
+
+allow untrusted_app appdomain_tmpfs:file execute;
+auditallow untrusted_app appdomain_tmpfs:file execute;
diff --git a/prebuilts/api/30.0/private/untrusted_app_25.te b/prebuilts/api/30.0/private/untrusted_app_25.te
@@ -64,3 +64,6 @@ allow untrusted_app_25 self:netlink_route_socket { bind nlmsg_readpriv };
 
 allow untrusted_app_25 { ashmem_device ashmem_libcutils_device }:chr_file execute;
 auditallow untrusted_app_25 { ashmem_device ashmem_libcutils_device }:chr_file execute;
+
+allow untrusted_app_25 appdomain_tmpfs:file execute;
+auditallow untrusted_app_25 appdomain_tmpfs:file execute;
diff --git a/prebuilts/api/30.0/private/untrusted_app_27.te b/prebuilts/api/30.0/private/untrusted_app_27.te
@@ -52,3 +52,6 @@ allow untrusted_app_27 self:netlink_route_socket { bind nlmsg_readpriv };
 
 allow untrusted_app_27 { ashmem_device ashmem_libcutils_device }:chr_file execute;
 auditallow untrusted_app_27 { ashmem_device ashmem_libcutils_device }:chr_file execute;
+
+allow untrusted_app_27 appdomain_tmpfs:file execute;
+auditallow untrusted_app_27 appdomain_tmpfs:file execute;
diff --git a/prebuilts/api/30.0/private/untrusted_app_29.te b/prebuilts/api/30.0/private/untrusted_app_29.te
@@ -30,3 +30,6 @@ allow untrusted_app_29 self:netlink_route_socket { bind nlmsg_readpriv };
 
 allow untrusted_app_29 { ashmem_device ashmem_libcutils_device }:chr_file execute;
 auditallow untrusted_app_29 { ashmem_device ashmem_libcutils_device }:chr_file execute;
+
+allow untrusted_app_29 appdomain_tmpfs:file execute;
+auditallow untrusted_app_29 appdomain_tmpfs:file execute;
diff --git a/prebuilts/api/30.0/public/te_macros b/prebuilts/api/30.0/public/te_macros
@@ -170,8 +170,7 @@ define(`app_domain', `
 typeattribute $1 appdomain;
 # Label tmpfs objects for all apps.
 type_transition $1 tmpfs:file appdomain_tmpfs;
-allow $1 appdomain_tmpfs:file { execute getattr map read write };
-auditallow $1 appdomain_tmpfs:file execute;
+allow $1 appdomain_tmpfs:file { getattr map read write };
 neverallow { $1 -runas_app -shell -simpleperf } { domain -$1 }:file no_rw_file_perms;
 neverallow { appdomain -runas_app -shell -simpleperf -$1 } $1:file no_rw_file_perms;
 # The Android security model guarantees the confidentiality and integrity
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
@@ -70,6 +70,9 @@ allow ephemeral_app ashmem_device:chr_file rw_file_perms;
 allow ephemeral_app { ashmem_device ashmem_libcutils_device }:chr_file execute;
 auditallow ephemeral_app { ashmem_device ashmem_libcutils_device }:chr_file execute;
 
+allow ephemeral_app appdomain_tmpfs:file execute;
+auditallow ephemeral_app appdomain_tmpfs:file execute;
+
 ###
 ### neverallow rules
 ###
diff --git a/private/isolated_app.te b/private/isolated_app.te
@@ -73,6 +73,9 @@ can_profile_perf(isolated_app)
 allow isolated_app { ashmem_device ashmem_libcutils_device }:chr_file execute;
 auditallow isolated_app { ashmem_device ashmem_libcutils_device }:chr_file execute;
 
+allow isolated_app appdomain_tmpfs:file execute;
+auditallow isolated_app appdomain_tmpfs:file execute;
+
 #####
 ##### Neverallow
 #####
diff --git a/private/untrusted_app.te b/private/untrusted_app.te
@@ -27,3 +27,6 @@ auditallow untrusted_app app_data_file:file execute;
 
 allow untrusted_app { ashmem_device ashmem_libcutils_device }:chr_file execute;
 auditallow untrusted_app { ashmem_device ashmem_libcutils_device }:chr_file execute;
+
+allow untrusted_app appdomain_tmpfs:file execute;
+auditallow untrusted_app appdomain_tmpfs:file execute;
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
@@ -64,3 +64,6 @@ allow untrusted_app_25 self:netlink_route_socket { bind nlmsg_readpriv };
 
 allow untrusted_app_25 { ashmem_device ashmem_libcutils_device }:chr_file execute;
 auditallow untrusted_app_25 { ashmem_device ashmem_libcutils_device }:chr_file execute;
+
+allow untrusted_app_25 appdomain_tmpfs:file execute;
+auditallow untrusted_app_25 appdomain_tmpfs:file execute;
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
@@ -52,3 +52,6 @@ allow untrusted_app_27 self:netlink_route_socket { bind nlmsg_readpriv };
 
 allow untrusted_app_27 { ashmem_device ashmem_libcutils_device }:chr_file execute;
 auditallow untrusted_app_27 { ashmem_device ashmem_libcutils_device }:chr_file execute;
+
+allow untrusted_app_27 appdomain_tmpfs:file execute;
+auditallow untrusted_app_27 appdomain_tmpfs:file execute;
diff --git a/private/untrusted_app_29.te b/private/untrusted_app_29.te
@@ -30,3 +30,6 @@ allow untrusted_app_29 self:netlink_route_socket { bind nlmsg_readpriv };
 
 allow untrusted_app_29 { ashmem_device ashmem_libcutils_device }:chr_file execute;
 auditallow untrusted_app_29 { ashmem_device ashmem_libcutils_device }:chr_file execute;
+
+allow untrusted_app_29 appdomain_tmpfs:file execute;
+auditallow untrusted_app_29 appdomain_tmpfs:file execute;
diff --git a/public/te_macros b/public/te_macros
@@ -170,8 +170,7 @@ define(`app_domain', `
 typeattribute $1 appdomain;
 # Label tmpfs objects for all apps.
 type_transition $1 tmpfs:file appdomain_tmpfs;
-allow $1 appdomain_tmpfs:file { execute getattr map read write };
-auditallow $1 appdomain_tmpfs:file execute;
+allow $1 appdomain_tmpfs:file { getattr map read write };
 neverallow { $1 -runas_app -shell -simpleperf } { domain -$1 }:file no_rw_file_perms;
 neverallow { appdomain -runas_app -shell -simpleperf -$1 } $1:file no_rw_file_perms;
 # The Android security model guarantees the confidentiality and integrity
