camera: allow loading files with text relocations from /system

the qcom camera driver needs to load a shared library from /system which contains a text relocation. Allow it. Due to bug 20013628, SELinux policy was inappropriately treating an execmod denial as an execmem denial. Move to using a proper execmod denial and get rid of execmem. Addresses the following denial: avc: denied { execmod } for pid=208 comm="mm-qcamera-daem" path="/system/vendor/lib/libmmcamera_faceproc.so" dev="mmcblk0p22" ino=1739 scontext=u:r:camera:s0 tcontext=u:object_r:system_file:s0 tclass=file Bug: 20013628 Change-Id: I9a1079b5e95390f1aebeeaeceaa0271f58c6b2de
author: Nick Kralevich <nnk@google.com> 2015-04-02 15:09:37 -0700
committer: Nick Kralevich <nnk@google.com> 2015-04-02 15:09:37 -0700
commit: 54ea7766c6b2f092f11478ceb51e38d1ecd6d9c8 (patch)
tree: 2626deadd042fedc32902391bd8917aac8d2878b
parent: 1cab44f7733b363bd0be876ba405efaf2db9cc22 (diff)
download: flo-54ea7766c6b2f092f11478ceb51e38d1ecd6d9c8.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/sepolicy/camera.te b/sepolicy/camera.te
index dc57d01..4f753a3 100644
--- a/sepolicy/camera.te
+++ b/sepolicy/camera.te
@@ -5,7 +5,7 @@ type camera_exec, exec_type, file_type;
 # Started by init
 init_daemon_domain(camera)
 
-allow camera self:process execmem;
+allow camera system_file:file execmod;
 
 # Interact with other media devices
 allow camera camera_device:dir search;
author	Nick Kralevich <nnk@google.com>	2015-04-02 15:09:37 -0700
committer	Nick Kralevich <nnk@google.com>	2015-04-02 15:09:37 -0700
commit	54ea7766c6b2f092f11478ceb51e38d1ecd6d9c8 (patch)
tree	2626deadd042fedc32902391bd8917aac8d2878b
parent	1cab44f7733b363bd0be876ba405efaf2db9cc22 (diff)
download	flo-54ea7766c6b2f092f11478ceb51e38d1ecd6d9c8.tar.gz