Skip to content
Snippets Groups Projects
Commit 998ce77f authored by Nick Kralevich's avatar Nick Kralevich
Browse files

domain: relax execmod restrictions 

Some devices still have pre-built binaries with text relocations
on them. As a result, it's premature to assert a neverallow rule
for files in /system

Bug: 20013628
Change-Id: I3a1e43db5c610164749dee6882f645a0559c789b
parent 1598b52b
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 4 additions and 1 deletion
domain.te
+ 4
1
View file @ 998ce77f
...@@ -390,10 +390,13 @@ neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_ ...@@ -390,10 +390,13 @@ neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_
# which, long term, need to go away. # which, long term, need to go away.
neverallow domain { neverallow domain {
file_type file_type
-system_file # needs to die. b/20013628
-system_data_file -system_data_file
-apk_data_file -apk_data_file
-app_data_file -app_data_file
-asec_public_file -asec_public_file
}:file execmod; }:file execmod;
neverallow { domain -appdomain } file_type:file execmod; # TODO: prohibit non-zygote spawned processes from using shared libraries
# with text relocations. b/20013628 .
# neverallow { domain -appdomain } file_type:file execmod;
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment