From 7160105c14a8367ae43e619b800cc868650ef472 Mon Sep 17 00:00:00 2001 From: Jeff Vander Stoep Date: Tue, 25 Feb 2020 19:37:20 +0100 Subject: [PATCH] app: allow PROT_EXEC on ashmem objects This fixes a bug introduced in aosp/1143430 where the permission should have been included for the newly introduced ashmem_libcutils_device type. Test: Build Fixes: 150193534 Change-Id: I5b1ed8d9548f9dab4ad9373f98e21614c07c3d38 (cherry picked from commit 789ebf03ba416efedfc1d5d37c38ddf87e495459) --- private/system_server.te | 2 +- public/app.te | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/private/system_server.te b/private/system_server.te index a86c7b585..8122d43b6 100644 --- a/private/system_server.te +++ b/private/system_server.te @@ -1057,7 +1057,7 @@ neverallow system_server { dev_type -frp_block_device }:blk_file no_rw_file_perm ifelse(target_requires_insecure_execmem_for_swiftshader, `true', `allow system_server self:process execmem;', `neverallow system_server self:process execmem;') -neverallow system_server ashmem_device:chr_file execute; +neverallow system_server { ashmem_device ashmem_libcutils_device }:chr_file execute; # TODO: deal with tmpfs_domain pub/priv split properly neverallow system_server system_server_tmpfs:file execute; diff --git a/public/app.te b/public/app.te index 4ceb4a66d..235d3f808 100644 --- a/public/app.te +++ b/public/app.te @@ -11,7 +11,7 @@ type appdomain_tmpfs, file_type; # WebView and other application-specific JIT compilers allow appdomain self:process execmem; -allow appdomain ashmem_device:chr_file execute; +allow appdomain { ashmem_device ashmem_libcutils_device }:chr_file execute; # Receive and use open file descriptors inherited from zygote. allow appdomain zygote:fd use;