add execmod to various app domains
NDK r8c and below induced text relocations into every NDK compiled shared library. (https://code.google.com/p/android/issues/detail?id=23203). For compatibility, we need to support shared libraries with text relocations in them. Addresses the following error / denial: 06-02 13:28:59.495 3634 3634 W linker : libCore.so has text relocations. This is wasting memory and prevents security hardening. Please fix. <4>[ 57.430677] type=1400 audit(1401740939.756:13): avc: denied { execmod } for pid=3634 comm=".playandlearnhd" path="/data/app-lib/com.adobe.air-2/libCore.so" dev="mmcblk0p28" ino=32745 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=file Steps to reproduce: 1) Install Adobe AIR (https://play.google.com/store/apps/details?id=com.adobe.air) 2) Install PBS Parents Play & Learn (https://play.google.com/store/apps/details?id=air.org.pbskids.playandlearnhd) 3) Attempt to run Play & Learn app Expected: App runs Actual: App crashes with error above. Bug: 15388851 Change-Id: I88bfd72b2abf2407803da0209d2313c8210c6663
This commit is contained in:
parent
3957ae733f
commit
78706f9ef6
2
app.te
2
app.te
@ -51,7 +51,7 @@ allow appdomain app_data_file:notdevfile_class_set create_file_perms;
|
|||||||
|
|
||||||
# lib subdirectory of /data/data dir is system-owned.
|
# lib subdirectory of /data/data dir is system-owned.
|
||||||
allow appdomain system_data_file:dir r_dir_perms;
|
allow appdomain system_data_file:dir r_dir_perms;
|
||||||
allow appdomain system_data_file:file { execute execute_no_trans open };
|
allow appdomain system_data_file:file { execute execute_no_trans open execmod };
|
||||||
|
|
||||||
# Access to OEM provided data and apps
|
# Access to OEM provided data and apps
|
||||||
allow appdomain oemfs:dir r_dir_perms;
|
allow appdomain oemfs:dir r_dir_perms;
|
||||||
|
@ -27,7 +27,7 @@ bluetooth_domain(untrusted_app)
|
|||||||
|
|
||||||
# Some apps ship with shared libraries and binaries that they write out
|
# Some apps ship with shared libraries and binaries that they write out
|
||||||
# to their sandbox directory and then execute.
|
# to their sandbox directory and then execute.
|
||||||
allow untrusted_app app_data_file:file rx_file_perms;
|
allow untrusted_app app_data_file:file { rx_file_perms execmod };
|
||||||
|
|
||||||
allow untrusted_app tun_device:chr_file rw_file_perms;
|
allow untrusted_app tun_device:chr_file rw_file_perms;
|
||||||
|
|
||||||
@ -35,7 +35,7 @@ allow untrusted_app tun_device:chr_file rw_file_perms;
|
|||||||
allow untrusted_app asec_apk_file:dir { getattr };
|
allow untrusted_app asec_apk_file:dir { getattr };
|
||||||
allow untrusted_app asec_apk_file:file r_file_perms;
|
allow untrusted_app asec_apk_file:file r_file_perms;
|
||||||
# Execute libs in asec containers.
|
# Execute libs in asec containers.
|
||||||
allow untrusted_app asec_public_file:file execute;
|
allow untrusted_app asec_public_file:file { execute execmod };
|
||||||
|
|
||||||
# Allow the allocation and use of ptys
|
# Allow the allocation and use of ptys
|
||||||
# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
|
# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
|
||||||
|
Loading…
Reference in New Issue
Block a user