Define SELinux policy for RELRO sharing support.
Define a domain and appropriate access rules for shared RELRO files (used for loading the WebView native library). Any app is permitted to read the files as they are public data, but only the shared_relro process is permitted to create/update them. Bug: 13005501 Change-Id: I9d5ba9e9eedb9b8c80fe6f84a3fc85a68553d52e
This commit is contained in:
Torne (Richard Coles)
parent
ccb9f7a100
commit
9786af2bca
5 changed files with 17 additions and 0 deletions
4
app.te
4
app.te
|
|
@ -133,6 +133,10 @@ allow appdomain dalvikcache_data_file:file execute;
|
|||
# /data/dalvik-cache/profiles
|
||||
allow appdomain dalvikcache_profiles_data_file:file write;
|
||||
|
||||
# Allow any app to read shared RELRO files.
|
||||
allow appdomain shared_relro_file:dir search;
|
||||
allow appdomain shared_relro_file:file r_file_perms;
|
||||
|
||||
###
|
||||
### CTS-specific rules
|
||||
###
|
||||
|
|
|
|||
1
file.te
1
file.te
|
|
@ -75,6 +75,7 @@ type media_data_file, file_type, data_file_type;
|
|||
type media_rw_data_file, file_type, data_file_type;
|
||||
type nfc_data_file, file_type, data_file_type;
|
||||
type radio_data_file, file_type, data_file_type;
|
||||
type shared_relro_file, file_type, data_file_type;
|
||||
type systemkeys_data_file, file_type, data_file_type;
|
||||
type vpn_data_file, file_type, data_file_type;
|
||||
type wifi_data_file, file_type, data_file_type;
|
||||
|
|
|
|||
|
|
@ -196,6 +196,7 @@
|
|||
/data/misc/dhcp(/.*)? u:object_r:dhcp_data_file:s0
|
||||
/data/misc/keystore(/.*)? u:object_r:keystore_data_file:s0
|
||||
/data/misc/media(/.*)? u:object_r:media_data_file:s0
|
||||
/data/misc/shared_relro(/.*)? u:object_r:shared_relro_file:s0
|
||||
/data/misc/sms(/.*)? u:object_r:radio_data_file:s0
|
||||
/data/misc/systemkeys(/.*)? u:object_r:systemkeys_data_file:s0
|
||||
/data/misc/vpn(/.*)? u:object_r:vpn_data_file:s0
|
||||
|
|
|
|||
|
|
@ -39,6 +39,7 @@ user=system domain=system_app type=system_app_data_file
|
|||
user=bluetooth domain=bluetooth type=bluetooth_data_file
|
||||
user=nfc domain=nfc type=nfc_data_file
|
||||
user=radio domain=radio type=radio_data_file
|
||||
user=shared_relro domain=shared_relro
|
||||
user=shell domain=shell type=shell_data_file
|
||||
user=_isolated domain=isolated_app
|
||||
user=_app seinfo=platform domain=platform_app type=app_data_file
|
||||
|
|
|
|||
10
shared_relro.te
Normal file
10
shared_relro.te
Normal file
|
|
@ -0,0 +1,10 @@
|
|||
# Process which creates/updates shared RELRO files to be used by other apps.
|
||||
type shared_relro, domain;
|
||||
|
||||
# The shared relro process is a Java program forked from the zygote, so it
|
||||
# inherits from app to get basic permissions it needs to run.
|
||||
app_domain(shared_relro)
|
||||
|
||||
# Grant write access to the shared relro files/directory.
|
||||
allow shared_relro shared_relro_file:dir rw_dir_perms;
|
||||
allow shared_relro shared_relro_file:file create_file_perms;
|
||||
Loading…
Reference in a new issue