tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Add missing permissions for Cuttlefish to support GSI testing

Browse source 
Once b/186727553 is fixed, booting GSI on cuttlefish will no longer load
cuttlefish's system_ext sepolicy. These domains are all private and
hence the permissions are being added to system/sepolicy to avoid
making them public(especially mediatranscoding that was changed from
public to private in Android S).

Test: build, boot
Change-Id: I4a78030015fff147545bb627c9e62afbd0daa9d7
This commit is contained in:
Hridya Valsaraju 2021-04-29 12:49:30 -07:00
parent 351331b015
commit a2a2d9cbbd
3 changed files with 9 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
private/mediaprovider_app.te
View file

@ -52,3 +52,5 @@ allow mediaprovider_app proc_filesystems:file r_file_perms;
get_prop(mediaprovider_app, storage_config_prop)
get_prop(mediaprovider_app, drm_service_config_prop)
allow mediaprovider_app gpu_device:dir search;

5
private/mediatranscoding.te
View file

@ -39,6 +39,11 @@ allow mediatranscoding shell_data_file:file { getattr read write };
# allow mediatranscoding service write permission to statsd socket
unix_socket_send(mediatranscoding, statsdw, statsd)
allow mediatranscoding gpu_device:dir search;
# Allow mediatranscoding service to access media-related system properties
get_prop(mediatranscoding, media_config_prop)
# mediatranscoding should never execute any executable without a
# domain transition
neverallow mediatranscoding { file_type fs_type }:file execute_no_trans;

2
private/permissioncontroller_app.te
View file

@ -18,3 +18,5 @@ allow permissioncontroller_app radio_service:service_manager find;
allow permissioncontroller_app incident_service:service_manager find;
binder_call(permissioncontroller_app, incidentd)
allow permissioncontroller_app incidentd:fifo_file { read write };
allow permissioncontroller_app gpu_device:dir search;