tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Allow priv_app to run the renderscript compiler. am: 737b098a71

Browse source 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1732952

Change-Id: I926aa35dcae148ab38629077a9725a6e9263a4be
This commit is contained in:
Hongguang 2021-06-15 19:02:15 +00:00 committed by Automerger Merge Worker
commit b264eae769
2 changed files with 16 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
private/priv_app.te
View file

@ -189,6 +189,14 @@ allow priv_app staging_data_file:dir r_dir_perms;
# allow priv app to access the system app data files for ContentProvider case.
allow priv_app system_app_data_file:file { read getattr };
# Allow the renderscript compiler to be run.
domain_auto_trans(priv_app, rs_exec, rs)
# Allow loading and deleting executable shared libraries
# within an application home directory. Such shared libraries would be
# created by things like renderscript or via other mechanisms.
allow priv_app app_exec_data_file:file { r_file_perms execute unlink };
###
### neverallow rules
###

15
private/rs.te
View file

@ -1,18 +1,19 @@
# Any files which would have been created as app_data_file
# will be created as app_exec_data_file instead.
allow rs app_data_file:dir ra_dir_perms;
# Any files which would have been created as app_data_file and
# privapp_data_file will be created as app_exec_data_file instead.
allow rs { app_data_file privapp_data_file }:dir ra_dir_perms;
allow rs app_exec_data_file:file create_file_perms;
type_transition rs app_data_file:file app_exec_data_file;
type_transition rs privapp_data_file:file app_exec_data_file;
# Follow /data/user/0 symlink
allow rs system_data_file:lnk_file read;
# Read files from the app home directory.
allow rs app_data_file:file r_file_perms;
allow rs app_data_file:dir r_dir_perms;
allow rs { app_data_file privapp_data_file }:file r_file_perms;
allow rs { app_data_file privapp_data_file }:dir r_dir_perms;
# Cleanup app_exec_data_file files in the app home directory.
allow rs app_data_file:dir remove_name;
allow rs { app_data_file privapp_data_file }:dir remove_name;
# Use vendor resources
allow rs vendor_file:dir r_dir_perms;
@ -27,7 +28,7 @@ allow rs ion_device:chr_file r_file_perms;
allow rs same_process_hal_file:file { r_file_perms execute };
# File descriptors passed from app to renderscript
allow rs { untrusted_app_all ephemeral_app }:fd use;
allow rs { untrusted_app_all ephemeral_app priv_app }:fd use;
# rs can access app data, so ensure it can only be entered via an app domain and cannot have
# CAP_DAC_OVERRIDE.