dcb9c2b044
These issues pop up on ocassion, and are very hard to diagnose. Since renderscript is deprecated, we shouldn't be seeing any new problems with it, but there isn't pressure to fix these issues as renderscript should go away on it's own eventually. Fixes: 291211299 Test: Boot, no audit statements. Change-Id: I9d595520ecabea562b8e9d4b113bb18db101219a
46 lines
1.9 KiB
Text
46 lines
1.9 KiB
Text
# Any files which would have been created as app_data_file and
|
|
# privapp_data_file will be created as app_exec_data_file instead.
|
|
allow rs { app_data_file privapp_data_file }:dir ra_dir_perms;
|
|
allow rs app_exec_data_file:file create_file_perms;
|
|
type_transition rs app_data_file:file app_exec_data_file;
|
|
type_transition rs privapp_data_file:file app_exec_data_file;
|
|
|
|
# Follow /data/user/0 symlink
|
|
allow rs system_data_file:lnk_file read;
|
|
|
|
# Read files from the app home directory.
|
|
allow rs { app_data_file privapp_data_file }:file r_file_perms;
|
|
allow rs { app_data_file privapp_data_file }:dir r_dir_perms;
|
|
|
|
# Cleanup app_exec_data_file files in the app home directory.
|
|
allow rs { app_data_file privapp_data_file }:dir remove_name;
|
|
|
|
# Use vendor resources
|
|
allow rs vendor_file:dir r_dir_perms;
|
|
r_dir_file(rs, vendor_overlay_file)
|
|
r_dir_file(rs, vendor_app_file)
|
|
# Vendor overlay can be found in vendor apex
|
|
allow rs vendor_apex_metadata_file:dir { getattr search };
|
|
|
|
# Read contents of app apks
|
|
r_dir_file(rs, apk_data_file)
|
|
|
|
allow rs gpu_device:chr_file rw_file_perms;
|
|
allow rs ion_device:chr_file r_file_perms;
|
|
allow rs same_process_hal_file:file { r_file_perms execute };
|
|
|
|
# File descriptors passed from app to renderscript
|
|
allow rs { untrusted_app_all ephemeral_app priv_app }:fd use;
|
|
|
|
# See b/291211299. Since rs is deprecated, this shouldn't be too dangerous, since new
|
|
# renderscript usages shouldn't be popping up.
|
|
dontaudit rs { zygote surfaceflinger hal_graphics_allocator }:fd use;
|
|
|
|
# rs can access app data, so ensure it can only be entered via an app domain and cannot have
|
|
# CAP_DAC_OVERRIDE.
|
|
neverallow rs rs:capability_class_set *;
|
|
neverallow { domain -appdomain } rs:process { dyntransition transition };
|
|
neverallow rs { domain -crash_dump }:process { dyntransition transition };
|
|
neverallow rs app_data_file_type:file_class_set ~r_file_perms;
|
|
# rs should never use network sockets
|
|
neverallow rs *:network_socket_class_set *;
|