diff options
author | Nick Kralevich <nnk@google.com> | 2015-04-02 15:09:37 -0700 |
---|---|---|
committer | Nick Kralevich <nnk@google.com> | 2015-04-02 15:09:37 -0700 |
commit | 54ea7766c6b2f092f11478ceb51e38d1ecd6d9c8 (patch) | |
tree | 2626deadd042fedc32902391bd8917aac8d2878b | |
parent | 1cab44f7733b363bd0be876ba405efaf2db9cc22 (diff) | |
download | flo-54ea7766c6b2f092f11478ceb51e38d1ecd6d9c8.tar.gz |
camera: allow loading files with text relocations from /system
the qcom camera driver needs to load a shared library from /system
which contains a text relocation. Allow it.
Due to bug 20013628, SELinux policy was inappropriately treating
an execmod denial as an execmem denial. Move to using a proper
execmod denial and get rid of execmem.
Addresses the following denial:
avc: denied { execmod } for pid=208 comm="mm-qcamera-daem" path="/system/vendor/lib/libmmcamera_faceproc.so" dev="mmcblk0p22" ino=1739 scontext=u:r:camera:s0 tcontext=u:object_r:system_file:s0 tclass=file
Bug: 20013628
Change-Id: I9a1079b5e95390f1aebeeaeceaa0271f58c6b2de
-rw-r--r-- | sepolicy/camera.te | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/sepolicy/camera.te b/sepolicy/camera.te index dc57d01..4f753a3 100644 --- a/sepolicy/camera.te +++ b/sepolicy/camera.te @@ -5,7 +5,7 @@ type camera_exec, exec_type, file_type; # Started by init init_daemon_domain(camera) -allow camera self:process execmem; +allow camera system_file:file execmod; # Interact with other media devices allow camera camera_device:dir search; |