PWN-Hunter/android_system_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Allow zygote to access dir/file under /vendor/overlay

Browse Source 
http://ag/2070347 doesn't allow zygote to read vendor_overlay_file:file
anymore.
But zygote isn't transitioned into idmap when executing idmap_exec. So
we need to allow zygote to access dir/file under /vendor/overlay to
enable idmap_exec run by zygote to read static RRO.

Test: building succeeded and tested a static RRO on sailfish device.
Bug: 37173452
Change-Id: Iec8a6b31d24c225f7819eeb885305f78da73b8e0
This commit is contained in:
Jaekyun Seok 2017-04-08 17:00:55 +09:00
parent d0e9cb0553
commit e360791d37
1 changed files with 2 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
private/zygote.te
View File

@ -51,9 +51,8 @@ allow { zygote with_dexpreopt(`-zygote') } dalvikcache_data_file:file execute;
allow zygote idmap_exec:file rx_file_perms;
allow zygote dex2oat_exec:file rx_file_perms;
# /vendor/overlay existence is checked before
# passing it on as an argument to idmap in AssetManager
allow zygote vendor_overlay_file:dir { getattr open read search };
# Allow apps access to /vendor/overlay
r_dir_file(zygote, vendor_overlay_file)
# Control cgroups.
allow zygote cgroup:dir create_dir_perms;