Merge "Remove sepolicy for viewcompiler" into main
This commit is contained in:
Treehugger Robot
Gerrit Code Review
commit
bc71c77f94
4 changed files with 0 additions and 30 deletions
|
|
@ -1609,7 +1609,6 @@ neverallow {
|
|||
-rs # spawned by appdomain, so carryover the exception above
|
||||
-runas
|
||||
-system_server
|
||||
-viewcompiler
|
||||
-zygote
|
||||
} { privapp_data_file app_data_file }:dir *;
|
||||
|
||||
|
|
|
|||
|
|
@ -348,7 +348,6 @@
|
|||
/system/bin/cppreopts\.sh u:object_r:cppreopts_exec:s0
|
||||
/system/bin/preloads_copy\.sh u:object_r:preloads_copy_exec:s0
|
||||
/system/bin/preopt2cachename u:object_r:preopt2cachename_exec:s0
|
||||
/system/bin/viewcompiler u:object_r:viewcompiler_exec:s0
|
||||
/system/bin/sgdisk u:object_r:sgdisk_exec:s0
|
||||
/system/bin/blkid u:object_r:blkid_exec:s0
|
||||
/system/bin/flags_health_check -- u:object_r:flags_health_check_exec:s0
|
||||
|
|
|
|||
|
|
@ -12,9 +12,6 @@ domain_auto_trans(installd, dex2oat_exec, dex2oat)
|
|||
# Run dexoptanalyzer in its own sandbox.
|
||||
domain_auto_trans(installd, dexoptanalyzer_exec, dexoptanalyzer)
|
||||
|
||||
# Run viewcompiler in its own sandbox.
|
||||
domain_auto_trans(installd, viewcompiler_exec, viewcompiler)
|
||||
|
||||
# Run profman in its own sandbox.
|
||||
domain_auto_trans(installd, profman_exec, profman)
|
||||
|
||||
|
|
|
|||
|
|
@ -1,25 +0,0 @@
|
|||
# viewcompiler
|
||||
type viewcompiler, domain, coredomain, mlstrustedsubject;
|
||||
type viewcompiler_exec, system_file_type, exec_type, file_type;
|
||||
type viewcompiler_tmpfs, file_type;
|
||||
|
||||
# Reading an APK opens a ZipArchive, which unpack to tmpfs.
|
||||
# Use tmpfs_domain() which will give tmpfs files created by viewcompiler their
|
||||
# own label, which differs from other labels created by other processes.
|
||||
# This allows to distinguish in policy files created by viewcompiler vs other
|
||||
# processes.
|
||||
tmpfs_domain(viewcompiler)
|
||||
|
||||
allow viewcompiler installd:fd use;
|
||||
|
||||
# Include write permission for app data files so viewcompiler can generate
|
||||
# compiled layout dex files
|
||||
allow viewcompiler app_data_file:file { getattr write };
|
||||
|
||||
# Allow the view compiler to read resources from the apps APK.
|
||||
allow viewcompiler apk_data_file:file { read map };
|
||||
|
||||
# priv-apps are moving to a world where they can only execute
|
||||
# signed code. Make sure viewcompiler never can write to privapp
|
||||
# directories to avoid introducing unsigned executable code
|
||||
neverallow viewcompiler privapp_data_file:file no_w_file_perms;
|
||||
Loading…
Reference in a new issue