Merge "Add dontaudit for rs fd usage" into main am: e850e98669 am: 71dc3379f6

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2673701 Change-Id: Ia9a487f93ee436daab8763086c2128cc09db352c Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2023-07-26 13:15:13 +00:00 · 2023-07-26 13:15:13 +00:00 · a44a6a087c
commit a44a6a087c
parent 3674481782 71dc3379f6
1 changed files with 4 additions and 0 deletions
--- a/private/rs.te
+++ b/private/rs.te
@ -32,6 +32,10 @@ allow rs same_process_hal_file:file { r_file_perms execute };
 # File descriptors passed from app to renderscript
 allow rs { untrusted_app_all ephemeral_app priv_app }:fd use;

+# See b/291211299. Since rs is deprecated, this shouldn't be too dangerous, since new
+# renderscript usages shouldn't be popping up.
+dontaudit rs { zygote surfaceflinger hal_graphics_allocator }:fd use;
+
 # rs can access app data, so ensure it can only be entered via an app domain and cannot have
 # CAP_DAC_OVERRIDE.
 neverallow rs rs:capability_class_set *;