Do not allow zygote to execve dalvikcache files.
x_file_perms and friends allow execve; we only want to permit mmap/mprotect PROT_EXEC here. Change-Id: I780f202c357f4611225cec25fda5cb9d207e085f Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This commit is contained in:
parent
39fd7818b3
commit
49c995d1c8
@ -21,7 +21,9 @@ allow zygote appdomain:process { getpgid setpgid };
|
||||
allow zygote system_data_file:dir rw_dir_perms;
|
||||
allow zygote system_data_file:file create_file_perms;
|
||||
allow zygote dalvikcache_data_file:dir rw_dir_perms;
|
||||
allow zygote dalvikcache_data_file:file { create_file_perms x_file_perms };
|
||||
allow zygote dalvikcache_data_file:file create_file_perms;
|
||||
# For art.
|
||||
allow zygote dalvikcache_data_file:file execute;
|
||||
# Execute dexopt.
|
||||
allow zygote system_file:file x_file_perms;
|
||||
# Control cgroups.
|
||||
|
Loading…
Reference in New Issue
Block a user