I might suggest that things of this nature be put in separate files that are easy to remove for more secure use cases. For example, aosp.te
________________________________________ From: [email protected] [[email protected]] on behalf of Stephen Smalley [[email protected]] Sent: Thursday, March 07, 2013 5:37 AM To: Persaud, Ryan K. Cc: [email protected] Subject: Re: Libraries in the assets directory On 03/06/2013 05:03 PM, Persaud, Ryan K. wrote: > While testing the Netflix application com.netflix.mediaclient, I got the > following denial: > > type=1400 audit(1362425946.431:10): avc: denied { execute } for > pid=890 comm="Thread-100" > path="/data/data/com.netflix.mediaclient/files/libcrittercism-ndk.so" > dev=mtdblock1 ino=855 scontext=u:r:untrusted_app:s0:c48,c256 > tcontext=u:object_r:app_data_file:s0:c48,c256 tclass=file > > Netflix put the libcrittercism-ndk.so library in the assets directory > instead of lib when the apk was generated. Consequently when the app is > installed, libcrittercism-ndk.so gets placed into the files directory. > I’ve noted two other applications, com.imangi.templerun2 and > com.kiloo.subwaysurf, that also have libraries in the assets directory. > Should the default SEAndroid policy reflect this practice? Preferably not, as this violates separation of code and data, but may be required in the default policy of AOSP and commodity devices for compatibility. -- This message was distributed to subscribers of the seandroid-list mailing list. If you no longer wish to subscribe, send mail to [email protected] with the words "unsubscribe seandroid-list" without quotes as the message. -- This message was distributed to subscribers of the seandroid-list mailing list. If you no longer wish to subscribe, send mail to [email protected] with the words "unsubscribe seandroid-list" without quotes as the message.
