prevent benign dex2oat selinux denial temporarily
Since we now call patchoat --verify in zygote art loading code, we have the unintended effect of webview zygote calling patchoat --verify. This is undesireable since webview zygote doesn't need to verify the .art files after the app_process zygote has already done so. The exec of patchoat fails for webview zygote, and this change hides that. This change should be reverted when b/72957399 is resolved. Bug: 66697305 Test: Ensure no new selinux denials were introduced. Change-Id: I4152edc920e5c436516b958b8c861dcc1c4751d8
This commit is contained in:
Chris Morin
parent
a4b7a7cc14
commit
9644df47a3
1 changed files with 4 additions and 0 deletions
|
|
@ -47,6 +47,10 @@ allow webview_zygote isolated_app:process setpgid;
|
|||
# Suppress denials to storage. Webview zygote should not be accessing.
|
||||
dontaudit webview_zygote mnt_expand_file:dir getattr;
|
||||
|
||||
# TODO (b/72957399) remove this when webview_zygote is reparented to
|
||||
# app_process zygote
|
||||
dontaudit webview_zygote dex2oat_exec:file execute;
|
||||
|
||||
# Get seapp_contexts
|
||||
allow webview_zygote seapp_contexts_file:file r_file_perms;
|
||||
# Check validity of SELinux context before use.
|
||||
|
|
|
|||
Loading…
Reference in a new issue