From f77e8c1b0c3935f7f4e8e74a3833b1a1345bf2f1 Mon Sep 17 00:00:00 2001
From: Nicolas Geoffray <ngeoffray@google.com>
Date: Mon, 17 Jun 2019 14:20:23 +0100
Subject: [PATCH] Allow zygote to create fds and map executable.

This is so that zygote can create the JIT cache with memfd_create
(or ashmem when memfd is not available).

Test: boot
Bug: 119800099
Change-Id: I88f1f6b1c930a8d22985b306a238f60b4af59f9c
---
 private/zygote.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/private/zygote.te b/private/zygote.te
index 0466372c0..cf5a7a30c 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -3,6 +3,7 @@ typeattribute zygote coredomain;
 typeattribute zygote mlstrustedsubject;
 
 init_daemon_domain(zygote)
+tmpfs_domain(zygote)
 
 read_runtime_log_tags(zygote)
 
@@ -51,6 +52,8 @@ allow zygote dalvikcache_data_file:file execute;
 
 # Allow zygote to create JIT memory.
 allow zygote self:process execmem;
+allow zygote zygote_tmpfs:file execute;
+allow zygote ashmem_device:chr_file execute;
 
 # Execute idmap and dex2oat within zygote's own domain.
 # TODO:  Should either of these be transitioned to the same domain