diff --git a/private/file.te b/private/file.te index 9dd0615de..01a66cd81 100644 --- a/private/file.te +++ b/private/file.te @@ -19,6 +19,9 @@ type perfetto_traces_bugreport_data_file, file_type, data_file_type, core_data_f # /data/misc/perfetto-configs for perfetto configs type perfetto_configs_data_file, file_type, data_file_type, core_data_file_type; +# /data/misc_{ce/de}//sdk//* subdirectory for supplemental apps +type supplemental_app_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type; + # /sys/kernel/debug/kcov for coverage guided kernel fuzzing in userdebug builds. type debugfs_kcov, fs_type, debugfs_type; diff --git a/private/seapp_contexts b/private/seapp_contexts index d6664ff1e..0f1195cdb 100644 --- a/private/seapp_contexts +++ b/private/seapp_contexts @@ -26,6 +26,7 @@ # isEphemeralApp=true will match apps marked by PackageManager as Ephemeral # user=_app will match any regular app process. # user=_isolated will match any isolated service process. +# user=_supplemental will match supplemental process for an app. # Other values of user are matched against the name associated with the process # UID. # seinfo= matches aginst the seinfo tag for the app, determined from @@ -152,6 +153,7 @@ user=shared_relro domain=shared_relro levelFrom=all user=shell seinfo=platform domain=shell name=com.android.shell type=shell_data_file user=webview_zygote seinfo=webview_zygote domain=webview_zygote user=_isolated domain=isolated_app levelFrom=user +user=_supplemental domain=supplemental_process type=supplemental_app_data_file levelFrom=all user=_app seinfo=app_zygote domain=app_zygote levelFrom=user user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user @@ -174,4 +176,4 @@ user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file leve user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user user=_app minTargetSdkVersion=28 fromRunAs=true domain=runas_app levelFrom=all user=_app fromRunAs=true domain=runas_app levelFrom=user -user=_app seinfo=supplemental_process name=com.android.supplemental.process domain=supplemental_process type=app_data_file levelFrom=user + diff --git a/private/supplemental_process.te b/private/supplemental_process.te index 1670fa4e2..720f71b4c 100644 --- a/private/supplemental_process.te +++ b/private/supplemental_process.te @@ -38,6 +38,10 @@ can_profile_perf(supplemental_process) allow supplemental_process system_server:udp_socket { connect getattr read recvfrom sendto write getopt setopt }; +# allow access to supplemental data directory +allow supplemental_process supplemental_app_data_file:dir create_dir_perms; +allow supplemental_process supplemental_app_data_file:file create_file_perms; + ### ### neverallow rules ###