5 files changed, 17 insertions, 0 deletions

diff --git a/app.te b/app.te
index 7e53724..8318b16 100644
--- a/app.te
+++ b/app.te
@@ -133,6 +133,10 @@ allow appdomain dalvikcache_data_file:file execute;
 # /data/dalvik-cache/profiles
 allow appdomain dalvikcache_profiles_data_file:file write;
 
+# Allow any app to read shared RELRO files.
+allow appdomain shared_relro_file:dir search;
+allow appdomain shared_relro_file:file r_file_perms;
+
 ###
 ### CTS-specific rules
 ###
diff --git a/file.te b/file.te
index 00f1589..874f45f 100644
--- a/file.te
+++ b/file.te
@@ -75,6 +75,7 @@ type media_data_file, file_type, data_file_type;
 type media_rw_data_file, file_type, data_file_type;
 type nfc_data_file, file_type, data_file_type;
 type radio_data_file, file_type, data_file_type;
+type shared_relro_file, file_type, data_file_type;
 type systemkeys_data_file, file_type, data_file_type;
 type vpn_data_file, file_type, data_file_type;
 type wifi_data_file, file_type, data_file_type;
diff --git a/file_contexts b/file_contexts
index b7d3cb1..c871d95 100644
--- a/file_contexts
+++ b/file_contexts
@@ -196,6 +196,7 @@
 /data/misc/dhcp(/.*)?           u:object_r:dhcp_data_file:s0
 /data/misc/keystore(/.*)?       u:object_r:keystore_data_file:s0
 /data/misc/media(/.*)?          u:object_r:media_data_file:s0
+/data/misc/shared_relro(/.*)?   u:object_r:shared_relro_file:s0
 /data/misc/sms(/.*)?            u:object_r:radio_data_file:s0
 /data/misc/systemkeys(/.*)?     u:object_r:systemkeys_data_file:s0
 /data/misc/vpn(/.*)?            u:object_r:vpn_data_file:s0
diff --git a/seapp_contexts b/seapp_contexts
index 91cfe72..57b443f 100644
--- a/seapp_contexts
+++ b/seapp_contexts
@@ -39,6 +39,7 @@ user=system domain=system_app type=system_app_data_file
 user=bluetooth domain=bluetooth type=bluetooth_data_file
 user=nfc domain=nfc type=nfc_data_file
 user=radio domain=radio type=radio_data_file
+user=shared_relro domain=shared_relro
 user=shell domain=shell type=shell_data_file
 user=_isolated domain=isolated_app
 user=_app seinfo=platform domain=platform_app type=app_data_file
diff --git a/shared_relro.te b/shared_relro.te
new file mode 100644
index 0000000..54bdbb9
--- /dev/null
+++ b/shared_relro.te
@@ -0,0 +1,10 @@
+# Process which creates/updates shared RELRO files to be used by other apps.
+type shared_relro, domain;
+
+# The shared relro process is a Java program forked from the zygote, so it
+# inherits from app to get basic permissions it needs to run.
+app_domain(shared_relro)
+
+# Grant write access to the shared relro files/directory.
+allow shared_relro shared_relro_file:dir rw_dir_perms;
+allow shared_relro shared_relro_file:file create_file_perms;