Merge "Allow webview_zygote to read/execute installed APKs." am: 23fdf03c am: 9e0873ec

am: da1d724f Change-Id: I2fa92c77859418e4fdb6dc1e2f966033567183a4

Merge "Allow webview_zygote to read/execute installed APKs." am: 23fdf03c am: 9e0873ec
a924b8f6 · Torne (Richard Coles) · android-build-merger · 960d1409 · da1d724f · a924b8f6
Commit a924b8f6 authored 8 years ago by Torne (Richard Coles) Committed by android-build-merger 8 years ago
--- a/public/webview_zygote.te
+++ b/public/webview_zygote.te
@@ -8,6 +8,11 @@ type webview_zygote_exec, exec_type, file_type;
 # Access to system files for SELinux contexts.
 allow webview_zygote rootfs:file r_file_perms;

+# Allow reading/executing installed binaries to enable preloading the
+# installed WebView implementation.
+allow webview_zygote apk_data_file:dir r_dir_perms;
+allow webview_zygote apk_data_file:file { r_file_perms execute };
+
 # Access to the WebView relro file.
 allow webview_zygote shared_relro_file:dir search;
 allow webview_zygote shared_relro_file:file r_file_perms;
@@ -48,6 +53,17 @@ selinux_check_access(webview_zygote)
 # Only permit transition to isolated_app.
 neverallow webview_zygote { domain -isolated_app }:process dyntransition;

+# Only setcon() transitions, no exec() based transitions
+neverallow webview_zygote *:process transition;
+
+# Must not exec() a program without changing domains.
+# Having said that, exec() above is not allowed.
+neverallow webview_zygote *:file execute_no_trans;
+
+# The only way to enter this domain is for init to exec() us.
+neverallow { domain -init } webview_zygote:process transition;
+neverallow * webview_zygote:process dyntransition;
+
 # Disallow write access to properties.
 neverallow webview_zygote property_socket:sock_file write;
 neverallow webview_zygote property_type:property_service set;