platform_system_sepolicy/public/idmap.te
Sandeep Patil 9075699a28 sepolicy: restrict /vendor/overlay from most coredomains
The change makes 'vendor_overlay_file' accessible only to few platform
domains like idmap, system_server, zygote and appdomain.

The overlay files contains RROs (runtime resource overlays)

Bug: 36681210
Test: Boot sailfish (treble device) from wiped flashall
Test: Connect to wifi and launch chrome to load few websites.
Test: Launch camera and record + playback video

Change-Id: I3596ca89ad51d0e7d78c75121f22ea71209ee332
Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-04-06 13:28:16 -07:00

17 lines
563 B
Text

# idmap, when executed by installd
type idmap, domain;
type idmap_exec, exec_type, file_type;
# Use open file to /data/resource-cache file inherited from installd.
allow idmap installd:fd use;
allow idmap resourcecache_data_file:file { getattr read write };
# Open and read from target and overlay apk files passed by argument.
allow idmap apk_data_file:file r_file_perms;
allow idmap apk_data_file:dir search;
# Allow apps access to /vendor/app
r_dir_file(idmap, vendor_app_file)
# Allow apps access to /vendor/overlay
r_dir_file(idmap, vendor_overlay_file)