Change zygote sepolicy whitelist.
Allow the zygote to create instruction set specific directories under /data/dalvik-cache and to change their owner to the system UID. These subdirectories are required in order to support instruction set specific dex caches on devices that support multiple instruction sets. We can't ask init to create these directories for us, because init doesn't have any knowledge about the list of runtime instruction sets the device supports. The owner needs to be system because the package manager (running in the system_server) is allowed to manipulate files under this directory. Change-Id: Ibb248d198d4430ef8bc494111a60d537c7d04784
This commit is contained in:
parent
0372f60bad
commit
032e5b0ae1
@ -5,7 +5,7 @@ type zygote_exec, exec_type, file_type;
|
||||
init_daemon_domain(zygote)
|
||||
typeattribute zygote mlstrustedsubject;
|
||||
# Override DAC on files and switch uid/gid.
|
||||
allow zygote self:capability { dac_override setgid setuid fowner };
|
||||
allow zygote self:capability { dac_override setgid setuid fowner chown };
|
||||
# Drop capabilities from bounding set.
|
||||
allow zygote self:capability setpcap;
|
||||
# Switch SELinux context to app domains.
|
||||
@ -20,7 +20,7 @@ allow zygote appdomain:process { getpgid setpgid };
|
||||
# Write to system data.
|
||||
allow zygote system_data_file:dir rw_dir_perms;
|
||||
allow zygote system_data_file:file create_file_perms;
|
||||
allow zygote dalvikcache_data_file:dir rw_dir_perms;
|
||||
allow zygote dalvikcache_data_file:dir create_dir_perms;
|
||||
allow zygote dalvikcache_data_file:file create_file_perms;
|
||||
# For art.
|
||||
allow zygote dalvikcache_data_file:file execute;
|
||||
|
Loading…
Reference in New Issue
Block a user