te_macros · 476855357b5ec9f59754cdb5aa0f0a6806b34049 · CodeLinaro / public-release-test / platform / system / sepolicy

11 years ago

Allow write access to ashmem allocated regions · 47685535

Nick Kralevich authored 11 years ago

Allow tmpfs_domains the ability to write to ashmem allocated
regions. At least one Google internal app does this, and switching
untrusted_app into enforcing causes the following denial:

<5>[  291.791423] type=1400 audit(1385587240.320:79): avc:  denied  { write } for  pid=3774 comm="XXXXXXXXXXXX" path=2F6465762F6173686D656D202864656C6574656429 dev="tmpfs" ino=16937 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:untrusted_app_tmpfs:s0 tclass=file

path=/dev/ashmem (deleted)

Bug: 11891764
Change-Id: I64d414c055cd02481ebf69994fad65d777d8381d

47685535

History

Allow write access to ashmem allocated regions

Nick Kralevich authored 11 years ago

Allow tmpfs_domains the ability to write to ashmem allocated
regions. At least one Google internal app does this, and switching
untrusted_app into enforcing causes the following denial:

<5>[  291.791423] type=1400 audit(1385587240.320:79): avc:  denied  { write } for  pid=3774 comm="XXXXXXXXXXXX" path=2F6465762F6173686D656D202864656C6574656429 dev="tmpfs" ino=16937 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:untrusted_app_tmpfs:s0 tclass=file

path=/dev/ashmem (deleted)

Bug: 11891764
Change-Id: I64d414c055cd02481ebf69994fad65d777d8381d