remove base system app app_data_file execute

Signed-off-by: anupritaisno1 <[email protected]>

Author: renlord

prebuilts/api/30.0/private/untrusted_app.te

@@ -17,3 +17,10 @@ bluetooth_domain(untrusted_app)
 
 allow untrusted_app self:process execmem;
 auditallow untrusted_app self:process execmem;
+
+# Some apps ship with shared libraries and binaries that they write out
+# to their sandbox directory and then execute.
+# This is allowed for non-base system apps targetAPI <=29.
+allow untrusted_app privapp_data_file:file { r_file_perms execute };
+allow untrusted_app app_data_file:file     { r_file_perms execute };
+auditallow untrusted_app app_data_file:file execute;

prebuilts/api/30.0/private/untrusted_app_25.te

@@ -39,6 +39,13 @@ allow untrusted_app_25 { apk_data_file app_data_file asec_public_file }:file exe
 allow untrusted_app_25 app_data_file:file execute_no_trans;
 auditallow untrusted_app_25 app_data_file:file { execute execute_no_trans };
 
+# Some apps ship with shared libraries and binaries that they write out
+# to their sandbox directory and then execute.
+# This is allowed for non-base system apps targetAPI <=25.
+allow untrusted_app_25 privapp_data_file:file { r_file_perms execute };
+allow untrusted_app_25 app_data_file:file     { r_file_perms execute };
+auditallow untrusted_app_25 app_data_file:file execute;
+
 # The ability to invoke dex2oat. Historically required by ART, now only
 # allowed for targetApi<=28 for compat reasons.
 allow untrusted_app_25 dex2oat_exec:file rx_file_perms;

prebuilts/api/30.0/private/untrusted_app_27.te

@@ -27,6 +27,13 @@ allow untrusted_app_27 { apk_data_file app_data_file asec_public_file }:file exe
 allow untrusted_app_27 app_data_file:file execute_no_trans;
 auditallow untrusted_app_27 app_data_file:file { execute execute_no_trans };
 
+# Some apps ship with shared libraries and binaries that they write out
+# to their sandbox directory and then execute.
+# This is allowed for non-base system apps targetAPI <=27.
+allow untrusted_app_27 privapp_data_file:file { r_file_perms execute };
+allow untrusted_app_27 app_data_file:file     { r_file_perms execute };
+auditallow untrusted_app_27 app_data_file:file execute;
+
 # The ability to invoke dex2oat. Historically required by ART, now only
 # allowed for targetApi<=28 for compat reasons.
 allow untrusted_app_27 dex2oat_exec:file rx_file_perms;

prebuilts/api/30.0/private/untrusted_app_29.te

@@ -18,5 +18,12 @@ bluetooth_domain(untrusted_app_29)
 allow untrusted_app_29 self:process execmem;
 auditallow untrusted_app_29 self:process execmem;
 
+# Some apps ship with shared libraries and binaries that they write out
+# to their sandbox directory and then execute.
+# This is allowed for non-base system apps targetAPI <=27.
+allow untrusted_app_29 privapp_data_file:file { r_file_perms execute };
+allow untrusted_app_29 app_data_file:file     { r_file_perms execute };
+auditallow untrusted_app_29 app_data_file:file execute;
+
 # allow binding to netlink route sockets and sending RTM_GETLINK messages.
 allow untrusted_app_29 self:netlink_route_socket { bind nlmsg_readpriv };

prebuilts/api/30.0/private/untrusted_app_all.te

@@ -20,12 +20,6 @@
 ### Note that rules that should apply to all untrusted apps must be in app.te or also
 ### added to ephemeral_app.te.
 
-# Some apps ship with shared libraries and binaries that they write out
-# to their sandbox directory and then execute.
-allow untrusted_app_all privapp_data_file:file { r_file_perms execute };
-allow untrusted_app_all app_data_file:file     { r_file_perms execute };
-auditallow untrusted_app_all app_data_file:file execute;
-
 # Chrome Crashpad uses the the dynamic linker to load native executables
 # from an APK (b/112050209, crbug.com/928422)
 allow untrusted_app_all system_linker_exec:file execute_no_trans;

private/untrusted_app.te

@@ -17,3 +17,10 @@ bluetooth_domain(untrusted_app)
 
 allow untrusted_app self:process execmem;
 auditallow untrusted_app self:process execmem;
+
+# Some apps ship with shared libraries and binaries that they write out
+# to their sandbox directory and then execute.
+# This is allowed for non-base system apps targetAPI <=29.
+allow untrusted_app privapp_data_file:file { r_file_perms execute };
+allow untrusted_app app_data_file:file     { r_file_perms execute };
+auditallow untrusted_app app_data_file:file execute;

private/untrusted_app_25.te

@@ -39,6 +39,13 @@ allow untrusted_app_25 { apk_data_file app_data_file asec_public_file }:file exe
 allow untrusted_app_25 app_data_file:file execute_no_trans;
 auditallow untrusted_app_25 app_data_file:file { execute execute_no_trans };
 
+# Some apps ship with shared libraries and binaries that they write out
+# to their sandbox directory and then execute.
+# This is allowed for non-base system apps targetAPI <=25.
+allow untrusted_app_25 privapp_data_file:file { r_file_perms execute };
+allow untrusted_app_25 app_data_file:file     { r_file_perms execute };
+auditallow untrusted_app_25 app_data_file:file execute;
+
 # The ability to invoke dex2oat. Historically required by ART, now only
 # allowed for targetApi<=28 for compat reasons.
 allow untrusted_app_25 dex2oat_exec:file rx_file_perms;

private/untrusted_app_27.te

@@ -27,6 +27,13 @@ allow untrusted_app_27 { apk_data_file app_data_file asec_public_file }:file exe
 allow untrusted_app_27 app_data_file:file execute_no_trans;
 auditallow untrusted_app_27 app_data_file:file { execute execute_no_trans };
 
+# Some apps ship with shared libraries and binaries that they write out
+# to their sandbox directory and then execute.
+# This is allowed for non-base system apps targetAPI <=27.
+allow untrusted_app_27 privapp_data_file:file { r_file_perms execute };
+allow untrusted_app_27 app_data_file:file     { r_file_perms execute };
+auditallow untrusted_app_27 app_data_file:file execute;
+
 # The ability to invoke dex2oat. Historically required by ART, now only
 # allowed for targetApi<=28 for compat reasons.
 allow untrusted_app_27 dex2oat_exec:file rx_file_perms;

private/untrusted_app_29.te

@@ -18,5 +18,12 @@ bluetooth_domain(untrusted_app_29)
 allow untrusted_app_29 self:process execmem;
 auditallow untrusted_app_29 self:process execmem;
 
+# Some apps ship with shared libraries and binaries that they write out
+# to their sandbox directory and then execute.
+# This is allowed for non-base system apps targetAPI <=27.
+allow untrusted_app_29 privapp_data_file:file { r_file_perms execute };
+allow untrusted_app_29 app_data_file:file     { r_file_perms execute };
+auditallow untrusted_app_29 app_data_file:file execute;
+
 # allow binding to netlink route sockets and sending RTM_GETLINK messages.
 allow untrusted_app_29 self:netlink_route_socket { bind nlmsg_readpriv };

private/untrusted_app_all.te

@@ -20,12 +20,6 @@
 ### Note that rules that should apply to all untrusted apps must be in app.te or also
 ### added to ephemeral_app.te.
 
-# Some apps ship with shared libraries and binaries that they write out
-# to their sandbox directory and then execute.
-allow untrusted_app_all privapp_data_file:file { r_file_perms execute };
-allow untrusted_app_all app_data_file:file     { r_file_perms execute };
-auditallow untrusted_app_all app_data_file:file execute;
-
 # Chrome Crashpad uses the the dynamic linker to load native executables
 # from an APK (b/112050209, crbug.com/928422)
 allow untrusted_app_all system_linker_exec:file execute_no_trans;