sepolicy: allow zygote to use ashmem fds
Ashmem FD selinux labels have recently been changed (aosp/1127917) from
"ashmemd" to the label of the whichever process opens the fd, which
resulted in the following denial:
avc: denied { use } for
path="/dev/ashmemf5dc2dbf-d1e7-457e-b694-93c84704135e" dev="tmpfs"
ino=18972 ioctlcmd=0x7704 scontext=u:r:zygote:s0
tcontext=u:r:system_server:s0 tclass=fd permissive=1
Test: m selinux_policy
Change-Id: I4880420014bda21cd4f83e3d6190c3cfaa76822f
This commit is contained in:
Tri Vo
parent
cc3f943436
commit
08bf97db8c
1 changed files with 3 additions and 0 deletions
|
|
@ -146,6 +146,9 @@ get_prop(zygote, device_config_runtime_native_boot_prop)
|
|||
# ingore spurious denials
|
||||
dontaudit zygote self:global_capability_class_set sys_resource;
|
||||
|
||||
# Allow zygote to use ashmem fds from system_server.
|
||||
allow zygote system_server:fd use;
|
||||
|
||||
###
|
||||
### neverallow rules
|
||||
###
|
||||
|
|
|
|||
Loading…
Reference in a new issue