Skip to content
Snippets Groups Projects
Commit c103da87 authored by Nick Kralevich's avatar Nick Kralevich Committed by Gerrit Code Review
Browse files

Merge "Put dex2oat in it's own sandbox"

parents 3a8c5dc0 75d63fcf
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
app.te
+ 3
0
View file @ c103da87
...@@ -61,6 +61,9 @@ allow appdomain oemfs:file rx_file_perms; ...@@ -61,6 +61,9 @@ allow appdomain oemfs:file rx_file_perms;
allow appdomain shell_exec:file rx_file_perms; allow appdomain shell_exec:file rx_file_perms;
allow appdomain system_file:file rx_file_perms; allow appdomain system_file:file rx_file_perms;
# Execute dex2oat when apps call dexclassloader
allow appdomain dex2oat_exec:file rx_file_perms;
# Read/write wallpaper file (opened by system). # Read/write wallpaper file (opened by system).
allow appdomain wallpaper_file:file { getattr read write }; allow appdomain wallpaper_file:file { getattr read write };
......
dex2oat.te 0 → 100644
+ 6
0
View file @ c103da87
# dex2oat
type dex2oat, domain;
type dex2oat_exec, exec_type, file_type;
allow dex2oat dalvikcache_data_file:file write;
allow dex2oat installd:fd use;
file_contexts
+ 1
0
View file @ c103da87
...@@ -160,6 +160,7 @@ ...@@ -160,6 +160,7 @@
/system/bin/logwrapper u:object_r:system_file:s0 /system/bin/logwrapper u:object_r:system_file:s0
/system/bin/vdc u:object_r:vdc_exec:s0 /system/bin/vdc u:object_r:vdc_exec:s0
/system/bin/install-recovery.sh u:object_r:install_recovery_exec:s0 /system/bin/install-recovery.sh u:object_r:install_recovery_exec:s0
/system/bin/dex2oat u:object_r:dex2oat_exec:s0
############################# #############################
# Vendor files # Vendor files
......
installd.te
+ 6
0
View file @ c103da87
...@@ -53,6 +53,12 @@ allow installd dalvikcache_profiles_data_file:file create_file_perms; ...@@ -53,6 +53,12 @@ allow installd dalvikcache_profiles_data_file:file create_file_perms;
allow installd resourcecache_data_file:dir rw_dir_perms; allow installd resourcecache_data_file:dir rw_dir_perms;
allow installd resourcecache_data_file:file create_file_perms; allow installd resourcecache_data_file:file create_file_perms;
# Run dex2oat in its own sandbox.
domain_auto_trans(installd, dex2oat_exec, dex2oat)
# dex2oat needs LD_PRELOAD, passed down from init
# https://android-review.googlesource.com/94851
allow installd dex2oat:process noatsecure;
# Upgrade from unlabeled userdata. # Upgrade from unlabeled userdata.
# Just need enough to remove and/or relabel it. # Just need enough to remove and/or relabel it.
allow installd unlabeled:dir { getattr search relabelfrom rw_dir_perms rmdir }; allow installd unlabeled:dir { getattr search relabelfrom rw_dir_perms rmdir };
......
zygote.te
+ 1
0
View file @ c103da87
...@@ -31,6 +31,7 @@ allow zygote resourcecache_data_file:file create_file_perms; ...@@ -31,6 +31,7 @@ allow zygote resourcecache_data_file:file create_file_perms;
allow zygote dalvikcache_data_file:file execute; allow zygote dalvikcache_data_file:file execute;
# Execute dexopt. # Execute dexopt.
allow zygote system_file:file x_file_perms; allow zygote system_file:file x_file_perms;
allow zygote dex2oat_exec:file rx_file_perms;
# Control cgroups. # Control cgroups.
allow zygote cgroup:dir create_dir_perms; allow zygote cgroup:dir create_dir_perms;
allow zygote self:capability sys_admin; allow zygote self:capability sys_admin;
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment