diff options
author | Stephen Smalley <sds@tycho.nsa.gov> | 2014-03-10 10:31:09 -0400 |
---|---|---|
committer | Stephen Smalley <sds@tycho.nsa.gov> | 2014-03-10 10:40:44 -0400 |
commit | 3bfdc6b420bc2fa60a7e8830789fec9820ecbb4d (patch) | |
tree | 9ff08898bc6da8814d8e292ad6ba3e67e99a749b /zygote.te | |
parent | 2a8be3c1c5b120ca7bc59efc482208973aee66b9 (diff) | |
download | android_external_sepolicy-3bfdc6b420bc2fa60a7e8830789fec9820ecbb4d.tar.gz android_external_sepolicy-3bfdc6b420bc2fa60a7e8830789fec9820ecbb4d.tar.bz2 android_external_sepolicy-3bfdc6b420bc2fa60a7e8830789fec9820ecbb4d.zip |
Allow stat of /system/bin/app_process by zygote.
This resolves denials such as:
type=1400 audit(7803852.559:251): avc: denied { getattr } for pid=5702 comm="main" path="/system/bin/app_process" dev="mmcblk0p25" ino=60 scontext=u:r:zygote:s0 tcontext=u:object_r:zygote_exec:s0 tclass=file
(triggered on an art crash seen in recent AOSP master)
Rather than just adding this permission individually, just rewrite
the existing rule to use the rx_file_perms macro.
We already allowed most of these permissions by way of the
domain_auto_trans() rule via init_daemon_domain() and the rule
for the --invoke-with support. Using macros helps reduce
policy fragility/brittleness.
Change-Id: Ib7edc17469c47bde9edd89f0e6cf5cd7f90fdb76
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Diffstat (limited to 'zygote.te')
-rw-r--r-- | zygote.te | 2 |
1 files changed, 1 insertions, 1 deletions
@@ -45,7 +45,7 @@ allow zygote tmpfs:filesystem mount; allow zygote labeledfs:filesystem remount; # Handle --invoke-with command when launching Zygote with a wrapper command. -allow zygote zygote_exec:file { execute_no_trans open }; +allow zygote zygote_exec:file rx_file_perms; # handle bugreports b/10498304 allow zygote ashmem_device:chr_file execute; |