autoplay_app: access to services and other permissions
Change-Id: I01bb0ad7c93e807cd76135bce554abf0908a54ab
This commit is contained in:
Jeff Vander Stoep
parent
ea285aaafa
commit
b7baa7fd2f
1 changed files with 18 additions and 0 deletions
|
|
@ -22,6 +22,9 @@ tmpfs_domain(autoplay_app)
|
|||
# Map with PROT_EXEC.
|
||||
allow autoplay_app autoplay_app_tmpfs:file execute;
|
||||
|
||||
# Read system properties managed by zygote.
|
||||
allow autoplay_app zygote_tmpfs:file read;
|
||||
|
||||
# Send logcat messages to logd.
|
||||
write_logd(autoplay_app)
|
||||
|
||||
|
|
@ -81,6 +84,18 @@ allow autoplay_app system_data_file:lnk_file read;
|
|||
# System file accesses. Check for libraries
|
||||
allow autoplay_app system_file:dir getattr;
|
||||
|
||||
# services
|
||||
allow autoplay_app accessibility_service:service_manager find;
|
||||
allow autoplay_app activity_service:service_manager find;
|
||||
allow autoplay_app assetatlas_service:service_manager find;
|
||||
allow autoplay_app connectivity_service:service_manager find;
|
||||
allow autoplay_app display_service:service_manager find;
|
||||
allow autoplay_app graphicsstats_service:service_manager find;
|
||||
allow autoplay_app input_method_service:service_manager find;
|
||||
allow autoplay_app input_service:service_manager find;
|
||||
allow autoplay_app surfaceflinger_service:service_manager find;
|
||||
allow autoplay_app textservices_service:service_manager find;
|
||||
|
||||
###
|
||||
### neverallow rules
|
||||
###
|
||||
|
|
@ -97,3 +112,6 @@ neverallow autoplay_app debugfs:file read;
|
|||
|
||||
# execute gpu_device
|
||||
neverallow autoplay_app gpu_device:chr_file execute;
|
||||
|
||||
# access files in /sys with the default sysfs label
|
||||
neverallow autoplay_app sysfs:file *;
|
||||
|
|
|
|||
Loading…
Reference in a new issue