Gitiles
Code Review Sign In
LeafOS / LeafOS-Project / android_system_sepolicy / 476855357b5ec9f59754cdb5aa0f0a6806b34049
commit476855357b5ec9f59754cdb5aa0f0a6806b34049[log] [tgz]
authorNick Kralevich <nnk@google.com>Wed Nov 27 13:33:04 2013 -0800
committerNick Kralevich <nnk@google.com>Wed Nov 27 13:36:48 2013 -0800
tree080ffdeb052b5b17dad19415cb113769e71e066a
parent2ffd52a47283681e8a9034327930a0dbea98b77c [diff]
Allow write access to ashmem allocated regions

Allow tmpfs_domains the ability to write to ashmem allocated
regions. At least one Google internal app does this, and switching
untrusted_app into enforcing causes the following denial:

<5>[  291.791423] type=1400 audit(1385587240.320:79): avc:  denied  { write } for  pid=3774 comm="XXXXXXXXXXXX" path=2F6465762F6173686D656D202864656C6574656429 dev="tmpfs" ino=16937 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:untrusted_app_tmpfs:s0 tclass=file

path=/dev/ashmem (deleted)

Bug: 11891764
Change-Id: I64d414c055cd02481ebf69994fad65d777d8381d
1 file changed
tree: 080ffdeb052b5b17dad19415cb113769e71e066a
  1. tools/
  2. access_vectors
  3. adbd.te
  4. Android.mk
  5. app.te
  6. attributes
  7. bluetooth.te
  8. clatd.te
  9. debuggerd.te
  10. device.te
  11. dhcp.te
  12. dnsmasq.te
  13. domain.te
  14. drmserver.te
  15. file.te
  16. file_contexts
  17. fs_use
  18. genfs_contexts
  19. global_macros
  20. gpsd.te
  21. hci_attach.te
  22. healthd.te
  23. hostapd.te
  24. init.te
  25. init_shell.te
  26. initial_sid_contexts
  27. initial_sids
  28. installd.te
  29. isolated_app.te
  30. kernel.te
  31. keys.conf
  32. keystore.te
  33. mac_permissions.xml
  34. media_app.te
  35. mediaserver.te
  36. mls
  37. mls_macros
  38. mtp.te
  39. net.te
  40. netd.te
  41. nfc.te
  42. NOTICE
  43. ping.te
  44. platform_app.te
  45. policy_capabilities
  46. port_contexts
  47. ppp.te
  48. property.te
  49. property_contexts
  50. qemud.te
  51. racoon.te
  52. radio.te
  53. README
  54. release_app.te
  55. rild.te
  56. roles
  57. runas.te
  58. sdcardd.te
  59. seapp_contexts
  60. security_classes
  61. selinux-network.sh
  62. servicemanager.te
  63. shared_app.te
  64. shell.te
  65. su.te
  66. su_user.te
  67. surfaceflinger.te
  68. system_app.te
  69. system_server.te
  70. te_macros
  71. tee.te
  72. ueventd.te
  73. unconfined.te
  74. untrusted_app.te
  75. users
  76. vold.te
  77. watchdogd.te
  78. wpa_supplicant.te
  79. zygote.te