Skip to content
Snippets Groups Projects
Commit 566eaa93 authored by Stephen Smalley's avatar Stephen Smalley Committed by Android Git Automerger
Browse files

am 3d706559: am e7ec2f52: Only allow PROT_EXEC for ashmem where required. 

* commit '3d706559':
  Only allow PROT_EXEC for ashmem where required.
parents da26d7dd 3d706559
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
app.te
+ 1
0
View file @ 566eaa93
...@@ -9,6 +9,7 @@ ...@@ -9,6 +9,7 @@
# Dalvik Compiler JIT Mapping. # Dalvik Compiler JIT Mapping.
allow appdomain self:process execmem; allow appdomain self:process execmem;
allow appdomain ashmem_device:chr_file execute;
# Allow apps to connect to the keystore # Allow apps to connect to the keystore
unix_socket_connect(appdomain, keystore, keystore) unix_socket_connect(appdomain, keystore, keystore)
......
system_server.te
+ 5
1
View file @ 566eaa93
...@@ -5,8 +5,13 @@ ...@@ -5,8 +5,13 @@
type system_server, domain, mlstrustedsubject; type system_server, domain, mlstrustedsubject;
permissive system_server; permissive system_server;
# Define a type for tmpfs-backed ashmem regions.
tmpfs_domain(system_server)
# Dalvik Compiler JIT Mapping. # Dalvik Compiler JIT Mapping.
allow system_server self:process execmem; allow system_server self:process execmem;
allow system_server ashmem_device:chr_file execute;
allow system_server system_server_tmpfs:file execute;
# For art. # For art.
allow system_server dalvikcache_data_file:file execute; allow system_server dalvikcache_data_file:file execute;
...@@ -95,7 +100,6 @@ unix_socket_send(system_server, wpa, wpa) ...@@ -95,7 +100,6 @@ unix_socket_send(system_server, wpa, wpa)
allow system_server surfaceflinger:unix_stream_socket { read write setopt }; allow system_server surfaceflinger:unix_stream_socket { read write setopt };
# Perform Binder IPC. # Perform Binder IPC.
tmpfs_domain(system_server)
binder_use(system_server) binder_use(system_server)
binder_call(system_server, binderservicedomain) binder_call(system_server, binderservicedomain)
binder_call(system_server, appdomain) binder_call(system_server, appdomain)
......
te_macros
+ 3
4
View file @ 566eaa93
...@@ -88,8 +88,7 @@ typeattribute $1 unconfineddomain; ...@@ -88,8 +88,7 @@ typeattribute $1 unconfineddomain;
define(`tmpfs_domain', ` define(`tmpfs_domain', `
type $1_tmpfs, file_type; type $1_tmpfs, file_type;
type_transition $1 tmpfs:file $1_tmpfs; type_transition $1 tmpfs:file $1_tmpfs;
# Map with PROT_EXEC. allow $1 $1_tmpfs:file { read write };
allow $1 $1_tmpfs:file { read write execute execmod };
') ')
##################################### #####################################
...@@ -108,6 +107,8 @@ define(`app_domain', ` ...@@ -108,6 +107,8 @@ define(`app_domain', `
typeattribute $1 appdomain; typeattribute $1 appdomain;
# Label ashmem objects with our own unique type. # Label ashmem objects with our own unique type.
tmpfs_domain($1) tmpfs_domain($1)
# Map with PROT_EXEC.
allow $1 $1_tmpfs:file execute;
') ')
##################################### #####################################
...@@ -163,8 +164,6 @@ allow $1 $3:unix_dgram_socket sendto; ...@@ -163,8 +164,6 @@ allow $1 $3:unix_dgram_socket sendto;
define(`binder_use', ` define(`binder_use', `
# Call the servicemanager and transfer references to it. # Call the servicemanager and transfer references to it.
allow $1 servicemanager:binder { call transfer }; allow $1 servicemanager:binder { call transfer };
# Map /dev/ashmem with PROT_EXEC.
allow $1 ashmem_device:chr_file execute;
# rw access to /dev/binder and /dev/ashmem is presently granted to # rw access to /dev/binder and /dev/ashmem is presently granted to
# all domains in domain.te. # all domains in domain.te.
') ')
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment