Merge "Grant execute on toolbox_exec for isolated_compute_app" am: e105f468d7 am: e968fdb082 am: 249397458d

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2505639 Change-Id: I35eaf087bf64b73507db8afee6f86677a896777b Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2023-03-27 09:28:04 +00:00 · 2023-03-27 09:28:04 +00:00 · f121440661
commit f121440661
parent 3632ed565e 249397458d
2 changed files with 5 additions and 1 deletions
--- a/private/isolated_compute_app.te
+++ b/private/isolated_compute_app.te
@ -32,6 +32,9 @@ allow isolated_compute_app dmabuf_system_heap_device:chr_file r_file_perms;
 # permitted.
 allow isolated_compute_app { ephemeral_app priv_app untrusted_app_all }:{ tcp_socket udp_socket } { rw_socket_perms_no_ioctl };

+# Allow access to the toybox: b/275024392
+allow isolated_compute_app toolbox_exec:file rx_file_perms;
+
 #####
 ##### Neverallow
 #####
--- a/tests/treble_sepolicy_tests.py
+++ b/tests/treble_sepolicy_tests.py
@ -347,7 +347,8 @@ def TestIsolatedAttributeConsistency(test_policy):
      "hal_neuralnetworks_service":["service_manager"],
      "servicemanager":["fd"],
      "speech_recognition_service":["service_manager"],
-      "mediaserver_service" :["service_manager"]
+      "mediaserver_service" :["service_manager"],
+      "toolbox_exec": ["file"],
  }

  def resolveHalServerSubtype(target):