ad891591e6
Chrome renderer processes dlopen() a shared library from
gmscore. Open and read on app data file is already allowed,
but execute isn't, so the dlopen() fails. This is a regression
from K, where the dlopen succeeded.
Longer term, there's questions about whether this is appropriate
behavior for an isolated app. For now, allow the behavior.
See the discussion in b/15902433 for details.
Addresses the following denial:
I/auditd ( 5087): type=1400 audit(0.0:76): avc: denied { execute } for comm="CrRendererMain" path="/data/data/com.google.android.gms/files/libAppDataSearchExt_armeabi_v7a.so" dev="mmcblk0p28" ino=83196 scontext=u:r:isolated_app:s0 tcontext=u:object_r:app_data_file:s0 tclass=file
Bug: 15902433
Change-Id: Ie98605d43753be8c31a6fe510ef2dde0bdb52678
20 lines
631 B
Text
20 lines
631 B
Text
###
|
|
### Services with isolatedProcess=true in their manifest.
|
|
###
|
|
### This file defines the rules for isolated apps. An "isolated
|
|
### app" is an APP with UID between AID_ISOLATED_START (99000)
|
|
### and AID_ISOLATED_END (99999).
|
|
###
|
|
### isolated_app includes all the appdomain rules, plus the
|
|
### additional following rules:
|
|
###
|
|
|
|
type isolated_app, domain;
|
|
app_domain(isolated_app)
|
|
net_domain(isolated_app)
|
|
|
|
# read and write access to app_data_file is already
|
|
# granted via app.te. Allow execute.
|
|
# Needed to allow dlopen() from Chrome renderer processes.
|
|
# See b/15902433 for details.
|
|
allow isolated_app app_data_file:file execute;
|