PWN-Hunter/android_system_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Change zygote sepolicy whitelist.

Browse Source 
Allow the zygote to create instruction set specific
directories under /data/dalvik-cache and to change their owner
to the system UID.

These subdirectories are required in order to support
instruction set specific dex caches on devices that support
multiple instruction sets. We can't ask init to create these
directories for us, because init doesn't have any knowledge
about the list of runtime instruction sets the device supports.

The owner needs to be system because the package manager (running
in the system_server) is allowed to manipulate files under this
directory.

Change-Id: Ibb248d198d4430ef8bc494111a60d537c7d04784
This commit is contained in:
Narayan Kamath 2014-04-28 15:17:29 +01:00
parent 0372f60bad
commit 032e5b0ae1
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
zygote.te
View File

@ -5,7 +5,7 @@ type zygote_exec, exec_type, file_type;
init_daemon_domain(zygote)
typeattribute zygote mlstrustedsubject;
# Override DAC on files and switch uid/gid.
allow zygote self:capability { dac_override setgid setuid fowner };
allow zygote self:capability { dac_override setgid setuid fowner chown };
# Drop capabilities from bounding set.
allow zygote self:capability setpcap;
# Switch SELinux context to app domains.
@ -20,7 +20,7 @@ allow zygote appdomain:process { getpgid setpgid };
# Write to system data.
allow zygote system_data_file:dir rw_dir_perms;
allow zygote system_data_file:file create_file_perms;
allow zygote dalvikcache_data_file:dir rw_dir_perms;
allow zygote dalvikcache_data_file:dir create_dir_perms;
allow zygote dalvikcache_data_file:file create_file_perms;
# For art.
allow zygote dalvikcache_data_file:file execute;