Skip to content
Snippets Groups Projects
Commit 3cba84e2 authored by Daniel Cashman's avatar Daniel Cashman Committed by Gerrit Code Review
Browse files

Merge "Run idmap in its own domain."

parents e956b315 b335e384
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
file_contexts
+ 1
0
View file @ 3cba84e2
...@@ -178,6 +178,7 @@ ...@@ -178,6 +178,7 @@
/system/bin/sgdisk u:object_r:sgdisk_exec:s0 /system/bin/sgdisk u:object_r:sgdisk_exec:s0
/system/bin/blkid u:object_r:blkid_exec:s0 /system/bin/blkid u:object_r:blkid_exec:s0
/system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0 /system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
/system/bin/idmap u:object_r:idmap_exec:s0
############################# #############################
# Vendor files # Vendor files
......
idmap.te 0 → 100644
+ 10
0
View file @ 3cba84e2
# idmap, when executed by installd
type idmap, domain;
type idmap_exec, exec_type, file_type;
# Use open file to /data/resource-cache file inherited from installd.
allow idmap installd:fd use;
allow idmap resourcecache_data_file:file { getattr read write };
# Open and read from target and overlay apk files passed by argument.
allow idmap apk_data_file:file r_file_perms;
installd.te
+ 3
1
View file @ 3cba84e2
...@@ -20,7 +20,6 @@ allow installd apk_tmp_file:file { r_file_perms unlink }; ...@@ -20,7 +20,6 @@ allow installd apk_tmp_file:file { r_file_perms unlink };
allow installd apk_tmp_file:dir { relabelfrom create_dir_perms }; allow installd apk_tmp_file:dir { relabelfrom create_dir_perms };
allow installd oemfs:dir r_dir_perms; allow installd oemfs:dir r_dir_perms;
allow installd oemfs:file r_file_perms; allow installd oemfs:file r_file_perms;
allow installd system_file:file x_file_perms;
allow installd cgroup:dir create_dir_perms; allow installd cgroup:dir create_dir_perms;
allow installd mnt_expand_file:dir search; allow installd mnt_expand_file:dir search;
# Check validity of SELinux context before use. # Check validity of SELinux context before use.
...@@ -71,6 +70,9 @@ allow installd resourcecache_data_file:file create_file_perms; ...@@ -71,6 +70,9 @@ allow installd resourcecache_data_file:file create_file_perms;
# Run dex2oat in its own sandbox. # Run dex2oat in its own sandbox.
domain_auto_trans(installd, dex2oat_exec, dex2oat) domain_auto_trans(installd, dex2oat_exec, dex2oat)
# Run idmap in its own sandbox.
domain_auto_trans(installd, idmap_exec, idmap)
# Upgrade from unlabeled userdata. # Upgrade from unlabeled userdata.
# Just need enough to remove and/or relabel it. # Just need enough to remove and/or relabel it.
allow installd unlabeled:dir { getattr search relabelfrom rw_dir_perms rmdir }; allow installd unlabeled:dir { getattr search relabelfrom rw_dir_perms rmdir };
......
zygote.te
+ 4
2
View file @ 3cba84e2
...@@ -31,8 +31,10 @@ allow zygote resourcecache_data_file:dir rw_dir_perms; ...@@ -31,8 +31,10 @@ allow zygote resourcecache_data_file:dir rw_dir_perms;
allow zygote resourcecache_data_file:file create_file_perms; allow zygote resourcecache_data_file:file create_file_perms;
# For art. # For art.
allow zygote dalvikcache_data_file:file execute; allow zygote dalvikcache_data_file:file execute;
# Execute dexopt. # Execute idmap and dex2oat within zygote's own domain.
allow zygote system_file:file x_file_perms; # TODO: Should either of these be transitioned to the same domain
# used by installd or stay in-domain for zygote?
allow zygote idmap_exec:file rx_file_perms;
allow zygote dex2oat_exec:file rx_file_perms; allow zygote dex2oat_exec:file rx_file_perms;
# Control cgroups. # Control cgroups.
allow zygote cgroup:dir create_dir_perms; allow zygote cgroup:dir create_dir_perms;
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment