tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/private/rs.te
Alfred Piccioni dcb9c2b044 Add dontaudit for rs fd usage 
These issues pop up on ocassion, and are very hard to diagnose. Since
renderscript is deprecated, we shouldn't be seeing any new problems with
it, but there isn't pressure to fix these issues as renderscript should
go away on it's own eventually.

Fixes: 291211299
Test: Boot, no audit statements.
Change-Id: I9d595520ecabea562b8e9d4b113bb18db101219a
2023-07-26 12:12:41 +02:00

46 lines
1.9 KiB
Text
Raw Blame History

# Any files which would have been created as app_data_file and
# privapp_data_file will be created as app_exec_data_file instead.
allow rs { app_data_file privapp_data_file }:dir ra_dir_perms;
allow rs app_exec_data_file:file create_file_perms;
type_transition rs app_data_file:file app_exec_data_file;
type_transition rs privapp_data_file:file app_exec_data_file;
# Follow /data/user/0 symlink
allow rs system_data_file:lnk_file read;
# Read files from the app home directory.
allow rs { app_data_file privapp_data_file }:file r_file_perms;
allow rs { app_data_file privapp_data_file }:dir r_dir_perms;
# Cleanup app_exec_data_file files in the app home directory.
allow rs { app_data_file privapp_data_file }:dir remove_name;
# Use vendor resources
allow rs vendor_file:dir r_dir_perms;
r_dir_file(rs, vendor_overlay_file)
r_dir_file(rs, vendor_app_file)
# Vendor overlay can be found in vendor apex
allow rs vendor_apex_metadata_file:dir { getattr search };
# Read contents of app apks
r_dir_file(rs, apk_data_file)
allow rs gpu_device:chr_file rw_file_perms;
allow rs ion_device:chr_file r_file_perms;
allow rs same_process_hal_file:file { r_file_perms execute };
# File descriptors passed from app to renderscript
allow rs { untrusted_app_all ephemeral_app priv_app }:fd use;
# See b/291211299. Since rs is deprecated, this shouldn't be too dangerous, since new
# renderscript usages shouldn't be popping up.
dontaudit rs { zygote surfaceflinger hal_graphics_allocator }:fd use;
# rs can access app data, so ensure it can only be entered via an app domain and cannot have
# CAP_DAC_OVERRIDE.
neverallow rs rs:capability_class_set *;
neverallow { domain -appdomain } rs:process { dyntransition transition };
neverallow rs { domain -crash_dump }:process { dyntransition transition };
neverallow rs app_data_file_type:file_class_set ~r_file_perms;
# rs should never use network sockets
neverallow rs *:network_socket_class_set *;
Reference in a new issue View git blame Copy permalink