Skip to content
Snippets Groups Projects
Commit 47685535 authored by Nick Kralevich's avatar Nick Kralevich
Browse files

Allow write access to ashmem allocated regions 

Allow tmpfs_domains the ability to write to ashmem allocated
regions. At least one Google internal app does this, and switching
untrusted_app into enforcing causes the following denial:

<5>[  291.791423] type=1400 audit(1385587240.320:79): avc:  denied  { write } for  pid=3774 comm="XXXXXXXXXXXX" path=2F6465762F6173686D656D202864656C6574656429 dev="tmpfs" ino=16937 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:untrusted_app_tmpfs:s0 tclass=file

path=/dev/ashmem (deleted)

Bug: 11891764
Change-Id: I64d414c055cd02481ebf69994fad65d777d8381d
parent 2ffd52a4
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 1 addition and 1 deletion
te_macros
+ 1
1
View file @ 47685535
...@@ -89,7 +89,7 @@ define(`tmpfs_domain', ` ...@@ -89,7 +89,7 @@ define(`tmpfs_domain', `
type $1_tmpfs, file_type; type $1_tmpfs, file_type;
type_transition $1 tmpfs:file $1_tmpfs; type_transition $1 tmpfs:file $1_tmpfs;
# Map with PROT_EXEC. # Map with PROT_EXEC.
allow $1 $1_tmpfs:file { read execute execmod }; allow $1 $1_tmpfs:file { read write execute execmod };
') ')
##################################### #####################################
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment