Allow priv_app to run the renderscript compiler.

Bug: 157478854
Test: manual test and check selinux log in logcat.
Change-Id: I0bebcc6b8e4ad7dfeeb0d1c20b3d093fd48891de
This commit is contained in:
Hongguang 2021-06-09 09:36:39 -07:00
parent ab8d2f0178
commit 737b098a71
2 changed files with 16 additions and 7 deletions

View file

@ -189,6 +189,14 @@ allow priv_app staging_data_file:dir r_dir_perms;
# allow priv app to access the system app data files for ContentProvider case.
allow priv_app system_app_data_file:file { read getattr };
# Allow the renderscript compiler to be run.
domain_auto_trans(priv_app, rs_exec, rs)
# Allow loading and deleting executable shared libraries
# within an application home directory. Such shared libraries would be
# created by things like renderscript or via other mechanisms.
allow priv_app app_exec_data_file:file { r_file_perms execute unlink };
###
### neverallow rules
###

View file

@ -1,18 +1,19 @@
# Any files which would have been created as app_data_file
# will be created as app_exec_data_file instead.
allow rs app_data_file:dir ra_dir_perms;
# Any files which would have been created as app_data_file and
# privapp_data_file will be created as app_exec_data_file instead.
allow rs { app_data_file privapp_data_file }:dir ra_dir_perms;
allow rs app_exec_data_file:file create_file_perms;
type_transition rs app_data_file:file app_exec_data_file;
type_transition rs privapp_data_file:file app_exec_data_file;
# Follow /data/user/0 symlink
allow rs system_data_file:lnk_file read;
# Read files from the app home directory.
allow rs app_data_file:file r_file_perms;
allow rs app_data_file:dir r_dir_perms;
allow rs { app_data_file privapp_data_file }:file r_file_perms;
allow rs { app_data_file privapp_data_file }:dir r_dir_perms;
# Cleanup app_exec_data_file files in the app home directory.
allow rs app_data_file:dir remove_name;
allow rs { app_data_file privapp_data_file }:dir remove_name;
# Use vendor resources
allow rs vendor_file:dir r_dir_perms;
@ -27,7 +28,7 @@ allow rs ion_device:chr_file r_file_perms;
allow rs same_process_hal_file:file { r_file_perms execute };
# File descriptors passed from app to renderscript
allow rs { untrusted_app_all ephemeral_app }:fd use;
allow rs { untrusted_app_all ephemeral_app priv_app }:fd use;
# rs can access app data, so ensure it can only be entered via an app domain and cannot have
# CAP_DAC_OVERRIDE.