Skip to content
Snippets Groups Projects
Commit 1bcff87c authored by Stephen Smalley's avatar Stephen Smalley Committed by Nick Kralevich
Browse files

neverallow write access to /data/dalvik-cache directories. 

Prohibit all but a specific set of whitelisted domains
from writing to /data/dalvik-cache.  This is to prevent
code injection into apps, zygote, or system_server.

Inspired by:
https://www.nowsecure.com/blog/2015/06/16/remote-code-execution-as-system-user-on-samsung-phones/


which depended on system UID apps having write access to
/data/dalvik-cache (not allowed in AOSP policy but evidently
in those device policies).  Prevent this from recurring.

Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
(cherry picked from commit d9bf7b3f)

Change-Id: I9219ddc3af44c909af90ba694e96565f99d8190c
parent 904099ca
No related branches found
No related tags found
Hide whitespace changes
Inline Side-by-side
Showing
with 8 additions and 0 deletions
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment