Skip to content
Snippets Groups Projects
Commit 37afd3f6 authored by Stephen Smalley's avatar Stephen Smalley
Browse files

Remove system_server and zygote unlabeled execute access.


Now that all of /data outside of /data/data should be labeled
even on legacy devices as a result of
Ib8d9751a47c8e0238cf499fcec61898937945d9d, there
should be no reason to permit the system_server or zygote
execute access to unlabeled files.

This is the only remaining case where a type writable by
app domains can be executed by system services, so eliminating
it is desirable.

That said, I have not specifically tested the non-SE to SE
upgrade path to confirm that this causes no problems.

Change-Id: Ie488bd6e347d4a210806a3308ab25b00952aadb4
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
parent 0296b943
No related branches found
No related tags found
No related merge requests found
Loading
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment