Skip to content
Snippets Groups Projects
Commit 49c995d1 authored by Stephen Smalley's avatar Stephen Smalley Committed by Nick Kralevich
Browse files

Do not allow zygote to execve dalvikcache files. 


x_file_perms and friends allow execve; we only want to permit
mmap/mprotect PROT_EXEC here.

Change-Id: I780f202c357f4611225cec25fda5cb9d207e085f
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
parent 39fd7818
No related branches found
No related tags found
No related merge requests found
Show whitespace changes
Inline Side-by-side
Showing
with 3 additions and 1 deletion
zygote.te
+ 3
1
View file @ 49c995d1
...@@ -21,7 +21,9 @@ allow zygote appdomain:process { getpgid setpgid }; ...@@ -21,7 +21,9 @@ allow zygote appdomain:process { getpgid setpgid };
allow zygote system_data_file:dir rw_dir_perms; allow zygote system_data_file:dir rw_dir_perms;
allow zygote system_data_file:file create_file_perms; allow zygote system_data_file:file create_file_perms;
allow zygote dalvikcache_data_file:dir rw_dir_perms; allow zygote dalvikcache_data_file:dir rw_dir_perms;
allow zygote dalvikcache_data_file:file { create_file_perms x_file_perms }; allow zygote dalvikcache_data_file:file create_file_perms;
# For art.
allow zygote dalvikcache_data_file:file execute;
# Execute dexopt. # Execute dexopt.
allow zygote system_file:file x_file_perms; allow zygote system_file:file x_file_perms;
# Control cgroups. # Control cgroups.
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment