Skip to content
Snippets Groups Projects
Commit da1d724f authored by Torne (Richard Coles)'s avatar Torne (Richard Coles) Committed by android-build-merger
Browse files

Merge "Allow webview_zygote to read/execute installed APKs." am: 23fdf03c

am: 9e0873ec

Change-Id: Ie6d65f6e47d6bbcdd780f0ed38b564c685b2577b
parents 8720ce36 9e0873ec
No related branches found
No related tags found
No related merge requests found
......@@ -8,6 +8,11 @@ type webview_zygote_exec, exec_type, file_type;
# Access to system files for SELinux contexts.
allow webview_zygote rootfs:file r_file_perms;
# Allow reading/executing installed binaries to enable preloading the
# installed WebView implementation.
allow webview_zygote apk_data_file:dir r_dir_perms;
allow webview_zygote apk_data_file:file { r_file_perms execute };
# Access to the WebView relro file.
allow webview_zygote shared_relro_file:dir search;
allow webview_zygote shared_relro_file:file r_file_perms;
......@@ -48,6 +53,17 @@ selinux_check_access(webview_zygote)
# Only permit transition to isolated_app.
neverallow webview_zygote { domain -isolated_app }:process dyntransition;
# Only setcon() transitions, no exec() based transitions
neverallow webview_zygote *:process transition;
# Must not exec() a program without changing domains.
# Having said that, exec() above is not allowed.
neverallow webview_zygote *:file execute_no_trans;
# The only way to enter this domain is for init to exec() us.
neverallow { domain -init } webview_zygote:process transition;
neverallow * webview_zygote:process dyntransition;
# Disallow write access to properties.
neverallow webview_zygote property_socket:sock_file write;
neverallow webview_zygote property_type:property_service set;
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment