Skip to content

Commit

Permalink
Allow all domains to access tmpfs files
Browse files Browse the repository at this point in the history 
Fix #8457
  • Loading branch information
@topjohnwu
topjohnwu committed Dec 1, 2024
1 parent 830fc75 commit da43ac8
Showing 1 changed file with 2 additions and 3 deletions.
5 changes: 2 additions & 3 deletions native/src/sepolicy/rules.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -101,9 +101,8 @@ impl SepolicyMagisk for sepolicy {
"system_app", "priv_app", "untrusted_app", "untrusted_app_all"],
[proc], ["unix_stream_socket"], ["connectto", "getopt"]);

// Let selected domains access tmpfs files
// For tmpfs overlay on 2SI, Zygisk on lower Android versions and AVD scripts
allow(["init", "zygote", "shell"], ["tmpfs"], ["file"], all);
// For tmpfs overlay on 2SI. We allow all domains to access tmpfs files.
allow(["domain"], ["tmpfs"], ["file"], all);

// Allow magiskinit daemon to handle mock selinuxfs
allow(["kernel"], ["tmpfs"], ["fifo_file"], ["write"]);
Expand Down

1 comment on commit da43ac8

@aviraxp
Copy link
Contributor

@aviraxp aviraxp commented on da43ac8 Dec 1, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, we will push a fix to store context and apply it after selinux is loaded. This commit has potential security issues and does not apply to replace binary, for example.

Please sign in to comment.