commit | d9bf7b3fc008533a6552887a3451a311c3a2607a | [log] [tgz] |
---|---|---|
author | Stephen Smalley <sds@tycho.nsa.gov> | Tue Jun 16 09:12:54 2015 -0400 |
committer | Stephen Smalley <sds@tycho.nsa.gov> | Tue Jun 16 09:25:47 2015 -0400 |
tree | 197fda81507881998f6abafd5660382ae79f358c | |
parent | 4b4c5645931a0e187d261c4db6caac67d09ab4e4 [diff] |
neverallow write access to /data/dalvik-cache directories. Prohibit all but a specific set of whitelisted domains from writing to /data/dalvik-cache. This is to prevent code injection into apps, zygote, or system_server. Inspired by: https://www.nowsecure.com/blog/2015/06/16/remote-code-execution-as-system-user-on-samsung-phones/ which depended on system UID apps having write access to /data/dalvik-cache (not allowed in AOSP policy but evidently in those device policies). Prevent this from recurring. Change-Id: I282c7bf998421d794883e432b091ad1dcf9da67e Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>