Allow priv_app to run the renderscript compiler.
Bug: 157478854 Test: manual test and check selinux log in logcat. Change-Id: I0bebcc6b8e4ad7dfeeb0d1c20b3d093fd48891de
This commit is contained in:
Hongguang
parent
ab8d2f0178
commit
737b098a71
2 changed files with 16 additions and 7 deletions
|
|
@ -189,6 +189,14 @@ allow priv_app staging_data_file:dir r_dir_perms;
|
||||||
# allow priv app to access the system app data files for ContentProvider case.
|
# allow priv app to access the system app data files for ContentProvider case.
|
||||||
allow priv_app system_app_data_file:file { read getattr };
|
allow priv_app system_app_data_file:file { read getattr };
|
||||||
|
|
||||||
|
# Allow the renderscript compiler to be run.
|
||||||
|
domain_auto_trans(priv_app, rs_exec, rs)
|
||||||
|
|
||||||
|
# Allow loading and deleting executable shared libraries
|
||||||
|
# within an application home directory. Such shared libraries would be
|
||||||
|
# created by things like renderscript or via other mechanisms.
|
||||||
|
allow priv_app app_exec_data_file:file { r_file_perms execute unlink };
|
||||||
|
|
||||||
###
|
###
|
||||||
### neverallow rules
|
### neverallow rules
|
||||||
###
|
###
|
||||||
|
|
|
||||||
|
|
@ -1,18 +1,19 @@
|
||||||
# Any files which would have been created as app_data_file
|
# Any files which would have been created as app_data_file and
|
||||||
# will be created as app_exec_data_file instead.
|
# privapp_data_file will be created as app_exec_data_file instead.
|
||||||
allow rs app_data_file:dir ra_dir_perms;
|
allow rs { app_data_file privapp_data_file }:dir ra_dir_perms;
|
||||||
allow rs app_exec_data_file:file create_file_perms;
|
allow rs app_exec_data_file:file create_file_perms;
|
||||||
type_transition rs app_data_file:file app_exec_data_file;
|
type_transition rs app_data_file:file app_exec_data_file;
|
||||||
|
type_transition rs privapp_data_file:file app_exec_data_file;
|
||||||
|
|
||||||
# Follow /data/user/0 symlink
|
# Follow /data/user/0 symlink
|
||||||
allow rs system_data_file:lnk_file read;
|
allow rs system_data_file:lnk_file read;
|
||||||
|
|
||||||
# Read files from the app home directory.
|
# Read files from the app home directory.
|
||||||
allow rs app_data_file:file r_file_perms;
|
allow rs { app_data_file privapp_data_file }:file r_file_perms;
|
||||||
allow rs app_data_file:dir r_dir_perms;
|
allow rs { app_data_file privapp_data_file }:dir r_dir_perms;
|
||||||
|
|
||||||
# Cleanup app_exec_data_file files in the app home directory.
|
# Cleanup app_exec_data_file files in the app home directory.
|
||||||
allow rs app_data_file:dir remove_name;
|
allow rs { app_data_file privapp_data_file }:dir remove_name;
|
||||||
|
|
||||||
# Use vendor resources
|
# Use vendor resources
|
||||||
allow rs vendor_file:dir r_dir_perms;
|
allow rs vendor_file:dir r_dir_perms;
|
||||||
|
|
@ -27,7 +28,7 @@ allow rs ion_device:chr_file r_file_perms;
|
||||||
allow rs same_process_hal_file:file { r_file_perms execute };
|
allow rs same_process_hal_file:file { r_file_perms execute };
|
||||||
|
|
||||||
# File descriptors passed from app to renderscript
|
# File descriptors passed from app to renderscript
|
||||||
allow rs { untrusted_app_all ephemeral_app }:fd use;
|
allow rs { untrusted_app_all ephemeral_app priv_app }:fd use;
|
||||||
|
|
||||||
# rs can access app data, so ensure it can only be entered via an app domain and cannot have
|
# rs can access app data, so ensure it can only be entered via an app domain and cannot have
|
||||||
# CAP_DAC_OVERRIDE.
|
# CAP_DAC_OVERRIDE.
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue