Initial selinux policy support for memfd Move all app tmpfs types to appdomain_tmpfs. These are still protected by mls categories and DAC. TODO clean up other app tmpfs types in a separate change. Treble-ize tmpfs passing between graphics composer HAL and surfaceflinger. Bug: 122854450 Test: boot Blueline with memfd enabled. Change-Id: Ib98aaba062f10972af6ae80fb85b7a0f60a32eee

commit: 9f5d0d90a3a5b479c19fda7b528471f16b773546 [log] [tgz]
author: Jeff Vander Stoep <jeffv@google.com> Tue Jan 29 14:43:45 2019 -0800
committer: Jeffrey Vander Stoep <jeffv@google.com> Wed Jan 30 19:11:49 2019 +0000
tree: 1a644302a81b66ce2032854e39ba8f7ab6f0884b
parent: 37ab42e54265ec902cb63d623c41e8ef5717020b [diff] [blame]
diff --git a/private/system_server.te b/private/system_server.te
index 1003994..f91461c 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -13,6 +13,7 @@
 type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
 
 allow system_server zygote_tmpfs:file read;
+allow system_server appdomain_tmpfs:file { getattr map read write };
 
 # For art.
 allow system_server dalvikcache_data_file:dir r_dir_perms;
commit	9f5d0d90a3a5b479c19fda7b528471f16b773546	[log] [tgz]
author	Jeff Vander Stoep <jeffv@google.com>	Tue Jan 29 14:43:45 2019 -0800
committer	Jeffrey Vander Stoep <jeffv@google.com>	Wed Jan 30 19:11:49 2019 +0000
tree	1a644302a81b66ce2032854e39ba8f7ab6f0884b
parent	37ab42e54265ec902cb63d623c41e8ef5717020b [diff] [blame]