tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge "Allow apps and SDK sandbox to access each others' open FDs" am: bd2efacfb7 am: 0a36e495b1 am: 9fa01cfb93

Browse source 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2583182

Change-Id: Ieb2407aab444a0861065d0c2483536c6dd2aca60
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
Gavin Corkery 2023-05-12 15:31:36 +00:00 committed by Automerger Merge Worker
commit 1b6b839894
3 changed files with 7 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
private/app.te
View file

@ -262,6 +262,9 @@ allow { appdomain -isolated_app_all -mlstrustedsubject -sdk_sandbox_all } { app_
# Access via already open fds is ok even for mlstrustedsubject.
allow { appdomain -isolated_app_all -sdk_sandbox_all } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write };
# Access open fds from SDK sandbox
allow appdomain sdk_sandbox_data_file:file { getattr read };
# Traverse into expanded storage
allow appdomain mnt_expand_file:dir r_dir_perms;

3
private/mediaprovider_app.te
View file

@ -35,9 +35,6 @@ allow mediaprovider_app mediametrics_service:service_manager find;
# Talk to regular app services
allow mediaprovider_app app_api_service:service_manager find;
# Read SDK sandbox data files
allow mediaprovider_app sdk_sandbox_data_file:file { getattr read };
# Talk to the GPU service
binder_call(mediaprovider_app, gpuservice)

5
private/sdk_sandbox_all.te
View file

@ -28,6 +28,9 @@ allow sdk_sandbox_all sdk_sandbox_system_data_file:dir { getattr search };
allow sdk_sandbox_all sdk_sandbox_data_file:dir create_dir_perms;
allow sdk_sandbox_all sdk_sandbox_data_file:file create_file_perms;
# allow apps to pass open fds to the sdk sandbox
allow sdk_sandbox_all { app_data_file privapp_data_file }:file { getattr read };
###
### neverallow rules
###
@ -64,7 +67,7 @@ neverallow sdk_sandbox_all proc_net:file no_rw_file_perms;
# SDK sandbox processes have their own storage not related to app_data_file or privapp_data_file
neverallow sdk_sandbox_all { app_data_file privapp_data_file }:dir no_rw_file_perms;
neverallow sdk_sandbox_all { app_data_file privapp_data_file }:file no_rw_file_perms;
neverallow sdk_sandbox_all { app_data_file privapp_data_file }:file ~{ getattr read };
# SDK sandbox processes don't have any access to external storage
neverallow sdk_sandbox_all { media_rw_data_file }:dir no_rw_file_perms;