Merge "sepolicy: Fix renderscript driver lookup" into oc-dev

2017-04-10 17:45:52 +00:00 · 2017-04-10 17:45:52 +00:00 · b28ef52688
commit b28ef52688
parent ba23c8fa96 3af3a13b31
2 changed files with 16 additions and 2 deletions
--- a/private/app.te
+++ b/private/app.te
@ -93,6 +93,16 @@ allow { appdomain -ephemeral_app -untrusted_v2_app } toolbox_exec:file rx_file_p
 # Renderscript needs the ability to read directories on /system
 allow appdomain system_file:dir r_dir_perms;
 allow appdomain system_file:lnk_file { getattr open read };
+# Renderscript specific permissions to open /system/vendor/lib64.
+not_full_treble(`
+    allow appdomain vendor_file_type:dir r_dir_perms;
+    allow appdomain vendor_file_type:lnk_file { getattr open read };
+')
+
+full_treble_only(`
+    # For looking up Renderscript vendor drivers
+    allow { appdomain -isolated_app } vendor_file:dir { open read };
+')

 # Allow apps access to /vendor/app except for privileged
 # apps which cannot be in /vendor.
--- a/public/domain.te
+++ b/public/domain.te
@ -129,8 +129,12 @@ allow domain vendor_configs_file:dir r_dir_perms;
 allow domain vendor_configs_file:file { read open getattr };

 full_treble_only(`
-    # This is required "most likely" for LD_LIBRARY_PATH
-    # (b/36681074)
+    # Allow all domains to be able to follow /system/vendor symlink
+    allow domain vendor_file:lnk_file { getattr open read };
+
+    # This is required to be able to search & read /vendor/lib64
+    # in order to lookup vendor libraries. The 'execute' permission
+    # for coredomains is granted *only* for same process HALs
    allow domain vendor_file:dir { getattr search };

    # Allow reading and executing out of /vendor to all vendor domains