Skip to content
Snippets Groups Projects
Commit 2c38b3b8 authored by Nick Kralevich's avatar Nick Kralevich
Browse files

DO NOT MERGE: allow access to labeled executables in /system

Most files on /system are labeled with the "system_file" label, and
are readable by default by all SELinux domains. However, select
executables are labeled with their own label, so that SELinux knows
what domains to enter upon running the executable.

Allow adbd read access to labeled executables in /system. We do
this by granting adbd read access to exec_type, the attribute
assigned to all executables on /system.

This allows "adb pull /system" to work without generating
SELinux denials.

Bug: 18078338
Change-Id: I97783759af083968890f15f7b1d8fff989e80604
parent 480374e4
No related branches found
No related tags found
No related merge requests found
...@@ -65,6 +65,10 @@ allow adbd app_data_file:dir search; ...@@ -65,6 +65,10 @@ allow adbd app_data_file:dir search;
allow adbd app_data_file:sock_file write; allow adbd app_data_file:sock_file write;
allow adbd appdomain:unix_stream_socket connectto; allow adbd appdomain:unix_stream_socket connectto;
# b/18078338 - allow read access to executable types on /system
# to assist with debugging OTA issues.
allow adbd exec_type:file r_file_perms;
# ndk-gdb invokes adb pull of app_process, linker, and libc.so. # ndk-gdb invokes adb pull of app_process, linker, and libc.so.
allow adbd zygote_exec:file r_file_perms; allow adbd zygote_exec:file r_file_perms;
allow adbd system_file:file r_file_perms; allow adbd system_file:file r_file_perms;
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment