PWN-Hunter/android_system_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Do not allow zygote to execve dalvikcache files.

Browse Source 
x_file_perms and friends allow execve; we only want to permit
mmap/mprotect PROT_EXEC here.

Change-Id: I780f202c357f4611225cec25fda5cb9d207e085f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This commit is contained in:
Stephen Smalley 2014-01-09 09:27:15 -05:00 committed by Nick Kralevich
parent 39fd7818b3
commit 49c995d1c8
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
zygote.te
View File

@ -21,7 +21,9 @@ allow zygote appdomain:process { getpgid setpgid };
allow zygote system_data_file:dir rw_dir_perms;
allow zygote system_data_file:file create_file_perms;
allow zygote dalvikcache_data_file:dir rw_dir_perms;
allow zygote dalvikcache_data_file:file { create_file_perms x_file_perms };
allow zygote dalvikcache_data_file:file create_file_perms;
# For art.
allow zygote dalvikcache_data_file:file execute;
# Execute dexopt.
allow zygote system_file:file x_file_perms;
# Control cgroups.