99a5103585
Allow renderscript to use file descriptors created by ephemeral apps. This is needed to support renderscript execution by ephemeral apps. Steps to reproduce: atest com.google.android.pm.gts.PackageManagerHostTest#testRenderScriptLoading Expected: Test passes Actual: 03-26 03:33:45.373 4607 4607 F linker : CANNOT LINK EXECUTABLE "/system/bin/bcc": can't enable GNU RELRO protection for "": Permission denied 03-26 03:33:45.373 4566 4600 E RenderScript: Child process "/system/bin/bcc" terminated with status 256 03-26 03:33:45.373 4566 4600 E RenderScript: bcc: FAILS to compile 'init_test' 03-26 03:33:45.374 4566 4596 E TestRunner: failed: testRenderScriptLoading(com.google.android.gts.packagemanager.InstantAppTestCases) 03-26 03:33:45.375 4566 4596 E TestRunner: ----- begin exception ----- 03-26 03:33:45.375 4566 4596 E TestRunner: java.lang.AssertionError: Instant App should be able to access RenderScript APIs. 03-26 03:33:45.375 4566 4596 E TestRunner: at org.junit.Assert.fail(Assert.java:88) 03-26 03:33:45.375 4566 4596 E TestRunner: at com.google.android.gts.packagemanager.InstantAppTestCases.testRenderScriptLoading(InstantAppTestCases.java:338) 03-26 03:33:45.375 4566 4596 E TestRunner: at java.lang.reflect.Method.invoke(Native Method) 03-26 03:33:45.375 4566 4596 E TestRunner: at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:50) Additional notes: Confusingly ephemeral_app is not part of untrusted_app_all, but it is part of all_untrusted_apps, which is used for neverallow assertions. Bug: 129356700 Test: atest com.google.android.pm.gts.PackageManagerHostTest#testRenderScriptLoading Change-Id: I47781012b9fd2cd1d03a3d50bed0c693bcf9ec7b
39 lines
1.4 KiB
Text
39 lines
1.4 KiB
Text
# Any files which would have been created as app_data_file
|
|
# will be created as app_exec_data_file instead.
|
|
allow rs app_data_file:dir ra_dir_perms;
|
|
allow rs app_exec_data_file:file create_file_perms;
|
|
type_transition rs app_data_file:file app_exec_data_file;
|
|
|
|
# Follow /data/user/0 symlink
|
|
allow rs system_data_file:lnk_file read;
|
|
|
|
# Read files from the app home directory.
|
|
allow rs app_data_file:file r_file_perms;
|
|
allow rs app_data_file:dir r_dir_perms;
|
|
|
|
# Cleanup app_exec_data_file files in the app home directory.
|
|
allow rs app_data_file:dir remove_name;
|
|
|
|
# Use vendor resources
|
|
allow rs vendor_file:dir r_dir_perms;
|
|
r_dir_file(rs, vendor_overlay_file)
|
|
r_dir_file(rs, vendor_app_file)
|
|
|
|
# Read contents of app apks
|
|
r_dir_file(rs, apk_data_file)
|
|
|
|
allow rs gpu_device:chr_file rw_file_perms;
|
|
allow rs ion_device:chr_file r_file_perms;
|
|
allow rs same_process_hal_file:file { r_file_perms execute };
|
|
|
|
# File descriptors passed from app to renderscript
|
|
allow rs { untrusted_app_all ephemeral_app }:fd use;
|
|
|
|
# rs can access app data, so ensure it can only be entered via an app domain and cannot have
|
|
# CAP_DAC_OVERRIDE.
|
|
neverallow rs rs:capability_class_set *;
|
|
neverallow { domain -appdomain } rs:process { dyntransition transition };
|
|
neverallow rs { domain -crash_dump }:process { dyntransition transition };
|
|
neverallow rs app_data_file:file_class_set ~r_file_perms;
|
|
# rs should never use network sockets
|
|
neverallow rs *:network_socket_class_set *;
|