PWN-Hunter/android_system_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add execmod to various app domains

Browse Source 
NDK r8c and below induced text relocations into every NDK
compiled shared library. (https://code.google.com/p/android/issues/detail?id=23203).
For compatibility, we need to support shared libraries with text relocations
in them.

Addresses the following error / denial:

  06-02 13:28:59.495  3634  3634 W linker  : libCore.so has text relocations. This is wasting memory and prevents security hardening. Please fix.
  <4>[   57.430677] type=1400 audit(1401740939.756:13): avc: denied { execmod } for pid=3634 comm=".playandlearnhd" path="/data/app-lib/com.adobe.air-2/libCore.so" dev="mmcblk0p28" ino=32745 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:system_data_file:s0 tclass=file

Steps to reproduce:
1) Install Adobe AIR (https://play.google.com/store/apps/details?id=com.adobe.air)
2) Install PBS Parents Play & Learn (https://play.google.com/store/apps/details?id=air.org.pbskids.playandlearnhd)
3) Attempt to run Play & Learn app

Expected:
  App runs

Actual:
  App crashes with error above.

Bug: 15388851
Change-Id: I88bfd72b2abf2407803da0209d2313c8210c6663
This commit is contained in:
Nick Kralevich 2014-06-02 14:49:10 -07:00
parent 3957ae733f
commit 78706f9ef6
2 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app.te
View File

@ -51,7 +51,7 @@ allow appdomain app_data_file:notdevfile_class_set create_file_perms;
# lib subdirectory of /data/data dir is system-owned. # lib subdirectory of /data/data dir is system-owned.
allow appdomain system_data_file:dir r_dir_perms; allow appdomain system_data_file:dir r_dir_perms;
allow appdomain system_data_file:file { execute execute_no_trans open }; allow appdomain system_data_file:file { execute execute_no_trans open execmod };
# Access to OEM provided data and apps # Access to OEM provided data and apps
allow appdomain oemfs:dir r_dir_perms; allow appdomain oemfs:dir r_dir_perms;

4
untrusted_app.te
View File

@ -27,7 +27,7 @@ bluetooth_domain(untrusted_app)
# Some apps ship with shared libraries and binaries that they write out # Some apps ship with shared libraries and binaries that they write out
# to their sandbox directory and then execute. # to their sandbox directory and then execute.
allow untrusted_app app_data_file:file rx_file_perms; allow untrusted_app app_data_file:file { rx_file_perms execmod };
allow untrusted_app tun_device:chr_file rw_file_perms; allow untrusted_app tun_device:chr_file rw_file_perms;
@ -35,7 +35,7 @@ allow untrusted_app tun_device:chr_file rw_file_perms;
allow untrusted_app asec_apk_file:dir { getattr }; allow untrusted_app asec_apk_file:dir { getattr };
allow untrusted_app asec_apk_file:file r_file_perms; allow untrusted_app asec_apk_file:file r_file_perms;
# Execute libs in asec containers. # Execute libs in asec containers.
allow untrusted_app asec_public_file:file execute; allow untrusted_app asec_public_file:file { execute execmod };
# Allow the allocation and use of ptys # Allow the allocation and use of ptys
# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm # Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm