Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 3af3a13b3181f9dbeac563e0b35fb838d6c523db^! / .
commit3af3a13b3181f9dbeac563e0b35fb838d6c523db[log] [tgz]
authorSandeep Patil <sspatil@google.com>Mon Apr 10 08:08:13 2017 -0700
committerSandeep Patil <sspatil@google.com>Mon Apr 10 08:45:20 2017 -0700
tree8aed57f405e00e54b898c562983e1ac9b2209d3e
parentd0e9cb055392dfc4597c5dccf1d8ab507f43da26 [diff]
sepolicy: Fix renderscript driver lookup

Renderscript drivers are loaded from /vendor/lib64 by following the
/system/vendor symlink. This change fixes a couple of things.
- Allows all domains access to follow the symlink
- Restores app domain permissions for /vendor for non-treble devices
- Allow app domains to peek into /vendor/lib64, but NOT grant 'execute'
  permissions for everything. Since RS drivers can be loaded into any
  process, their vendor implementation and dependencies have been
  marked as 'same process HALs' already.

Bug: 37169158
Test: Tested on sailfish (Treble) & Angler (non-treble)
      ./cts-tradefed run cts -m CtsRenderscriptTestCases \
      --skip-device-info --skip-preconditions --skip-connectivity-check \
      --abi arm64-v8a
      Result: Tests Passed: 743 Tests Failed: 0

Change-Id: I36f5523381428629126fc196f615063fc7a50b8e
Signed-off-by: Sandeep Patil <sspatil@google.com>

diff --git a/private/app.te b/private/app.te
index f7c060b..c3f44dd 100644
--- a/private/app.te
+++ b/private/app.te

@@ -93,6 +93,16 @@
 # Renderscript needs the ability to read directories on /system
 allow appdomain system_file:dir r_dir_perms;
 allow appdomain system_file:lnk_file { getattr open read };
+# Renderscript specific permissions to open /system/vendor/lib64.
+not_full_treble(`
+    allow appdomain vendor_file_type:dir r_dir_perms;
+    allow appdomain vendor_file_type:lnk_file { getattr open read };
+')
+
+full_treble_only(`
+    # For looking up Renderscript vendor drivers
+    allow { appdomain -isolated_app } vendor_file:dir { open read };
+')
 
 # Allow apps access to /vendor/app except for privileged
 # apps which cannot be in /vendor.

diff --git a/public/domain.te b/public/domain.te
index 1fb648b..2b1ba91 100644
--- a/public/domain.te
+++ b/public/domain.te

@@ -129,8 +129,12 @@
 allow domain vendor_configs_file:file { read open getattr };
 
 full_treble_only(`
-    # This is required "most likely" for LD_LIBRARY_PATH
-    # (b/36681074)
+    # Allow all domains to be able to follow /system/vendor symlink
+    allow domain vendor_file:lnk_file { getattr open read };
+
+    # This is required to be able to search & read /vendor/lib64
+    # in order to lookup vendor libraries. The 'execute' permission
+    # for coredomains is granted *only* for same process HALs
     allow domain vendor_file:dir { getattr search };
 
     # Allow reading and executing out of /vendor to all vendor domains