Remove execmem permission from domain, add to appdomain.

execmem permission controls the ability to make an anonymous mapping executable or to make a private file mapping writable and executable. Remove this permission from domain (i.e. all domains) by default, and add it explicitly to app domains. It is already allowed in other specific .te files as required. There may be additional cases in device-specific policy where it is required for proprietary binaries. Change-Id: I902ac6f8cf2e93d46b3a976bc4dabefa3905fce6 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
author: Stephen Smalley <sds@tycho.nsa.gov> 2013-12-20 08:24:12 -0500
committer: Stephen Smalley <sds@tycho.nsa.gov> 2014-01-02 21:26:14 +0000
commit: ad7df7bb76ce00cdef711ad1f96a9a7243981f4e (patch)
tree: c8644887b4f270d08842ce72f48fdff8231c1552 /app.te
parent: 527316a21b80c2a70d8ed23351299a4dce0c77bf (diff)
download: android_external_sepolicy-ad7df7bb76ce00cdef711ad1f96a9a7243981f4e.tar.gz
android_external_sepolicy-ad7df7bb76ce00cdef711ad1f96a9a7243981f4e.tar.bz2
android_external_sepolicy-ad7df7bb76ce00cdef711ad1f96a9a7243981f4e.zip
1 files changed, 3 insertions, 0 deletions
diff --git a/app.te b/app.te
index f53f633..80c40aa 100644
--- a/app.te
+++ b/app.te
@@ -7,6 +7,9 @@
 ### zygote spawned apps should be added here.
 ###
 
+# Dalvik Compiler JIT Mapping.
+allow appdomain self:process execmem;
+
 # Allow apps to connect to the keystore
 unix_socket_connect(appdomain, keystore, keystore)
author	Stephen Smalley <sds@tycho.nsa.gov>	2013-12-20 08:24:12 -0500
committer	Stephen Smalley <sds@tycho.nsa.gov>	2014-01-02 21:26:14 +0000
commit	ad7df7bb76ce00cdef711ad1f96a9a7243981f4e (patch)
tree	c8644887b4f270d08842ce72f48fdff8231c1552 /app.te
parent	527316a21b80c2a70d8ed23351299a4dce0c77bf (diff)
download	android_external_sepolicy-ad7df7bb76ce00cdef711ad1f96a9a7243981f4e.tar.gz android_external_sepolicy-ad7df7bb76ce00cdef711ad1f96a9a7243981f4e.tar.bz2 android_external_sepolicy-ad7df7bb76ce00cdef711ad1f96a9a7243981f4e.zip