Skip to content
Snippets Groups Projects
Commit 3c77d4d1 authored by Nick Kralevich's avatar Nick Kralevich
Browse files

Add compile time checks for /data/dalvik-cache access 

Add an SELinux neverallow rule (compile time assertion) that only
authorized SELinux domains are writing to files in /data/dalvik-cache.

Currently, SELinux policy only allows the following SELinux domains
to perform writes to files in /data/dalvik-cache

  * init
  * zygote
  * installd
  * dex2oat

For zygote, installd, and dex2oat, these accesses make sense.

For init, we could further restrict init to just relabelfrom
on /data/dalvik-cache files, and { create, write, setattr }
on /data/dalvik-cache directories. Currently init has full
write access, which can be reduced over time.

This change was motivated by the discussion
in https://android-review.googlesource.com/127582

Remove /data/dalvik-cache access from the unconfined domain.
This domain is only used by init, kernel, and fsck on user builds.
The kernel and fsck domains have no need to access files in
/data/dalvik-cache. Init has a need to relabel files, but
that rule is already granted in init.te.

The neverallow rule is intended to prevent regressions. Neverallow
rules are CTS tested, so regressions won't appear on our devices
or partner devices.

Change-Id: I15e7d17b1121c556463114d1c6c49557a57911cd
parent 361cdaff
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment