Merge "Define SELinux policy for RELRO sharing support."

ba176c5f · Torne (Richard Coles) · Gerrit Code Review · 0cefb701 · 9786af2b · ba176c5f
Commit ba176c5f authored 10 years ago by Torne (Richard Coles) Committed by Gerrit Code Review 10 years ago
--- a/app.te
+++ b/app.te
@@ -133,6 +133,10 @@ allow appdomain dalvikcache_data_file:file execute;
 # /data/dalvik-cache/profiles
 allow appdomain dalvikcache_profiles_data_file:file write;
+# Allow any app to read shared RELRO files.
+allow appdomain shared_relro_file:dir search;
+allow appdomain shared_relro_file:file r_file_perms;
 ###
 ### CTS-specific rules
 ###

--- a/file.te
+++ b/file.te
@@ -75,6 +75,7 @@ type media_data_file, file_type, data_file_type;
 type media_rw_data_file, file_type, data_file_type;
 type nfc_data_file, file_type, data_file_type;
 type radio_data_file, file_type, data_file_type;
+type shared_relro_file, file_type, data_file_type;
 type systemkeys_data_file, file_type, data_file_type;
 type vpn_data_file, file_type, data_file_type;
 type wifi_data_file, file_type, data_file_type;

--- a/file_contexts
+++ b/file_contexts
@@ -196,6 +196,7 @@
 /data/misc/dhcp(/.*)?           u:object_r:dhcp_data_file:s0
 /data/misc/keystore(/.*)?       u:object_r:keystore_data_file:s0
 /data/misc/media(/.*)?          u:object_r:media_data_file:s0
+/data/misc/shared_relro(/.*)?   u:object_r:shared_relro_file:s0
 /data/misc/sms(/.*)?            u:object_r:radio_data_file:s0
 /data/misc/systemkeys(/.*)?     u:object_r:systemkeys_data_file:s0
 /data/misc/vpn(/.*)?            u:object_r:vpn_data_file:s0

--- a/seapp_contexts
+++ b/seapp_contexts
@@ -39,6 +39,7 @@ user=system domain=system_app type=system_app_data_file
 user=bluetooth domain=bluetooth type=bluetooth_data_file
 user=nfc domain=nfc type=nfc_data_file
 user=radio domain=radio type=radio_data_file
+user=shared_relro domain=shared_relro
 user=shell domain=shell type=shell_data_file
 user=_isolated domain=isolated_app
 user=_app seinfo=platform domain=platform_app type=app_data_file

--- a/shared_relro.te
+++ b/shared_relro.te
+# Process which creates/updates shared RELRO files to be used by other apps.
+type shared_relro, domain;
+# The shared relro process is a Java program forked from the zygote, so it
+# inherits from app to get basic permissions it needs to run.
+app_domain(shared_relro)
+# Grant write access to the shared relro files/directory.
+allow shared_relro shared_relro_file:dir rw_dir_perms;
+allow shared_relro shared_relro_file:file create_file_perms;