Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 7216b3aa0031d1b19468ff53173e7df9969b9a99^2..7216b3aa0031d1b19468ff53173e7df9969b9a99 / .
commit7216b3aa0031d1b19468ff53173e7df9969b9a99[log] [tgz]
authorAdam Shih <adamshih@google.com>Wed Jun 16 01:26:50 2021 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>Wed Jun 16 01:26:50 2021 +0000
treefe8ee421d0c2789c6dd9925637b22db42a896f97
parent737b098a71da1c6991ce46fb85ee1bc072049155 [diff]
parentff7ba7e301af8d8f382ed319decf3fda712ae4be [diff]
Merge "make system_app_data_file shareable over binder"
diff --git a/private/priv_app.te b/private/priv_app.te
index 63a9cbf..3ceb7a3 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te

@@ -189,6 +189,14 @@
 # allow priv app to access the system app data files for ContentProvider case.
 allow priv_app system_app_data_file:file { read getattr };
 
+# Allow the renderscript compiler to be run.
+domain_auto_trans(priv_app, rs_exec, rs)
+
+# Allow loading and deleting executable shared libraries
+# within an application home directory. Such shared libraries would be
+# created by things like renderscript or via other mechanisms.
+allow priv_app app_exec_data_file:file { r_file_perms execute unlink };
+
 ###
 ### neverallow rules
 ###

diff --git a/private/rs.te b/private/rs.te
index bf10841..268f040 100644
--- a/private/rs.te
+++ b/private/rs.te

@@ -1,18 +1,19 @@
-# Any files which would have been created as app_data_file
-# will be created as app_exec_data_file instead.
-allow rs app_data_file:dir ra_dir_perms;
+# Any files which would have been created as app_data_file and
+# privapp_data_file will be created as app_exec_data_file instead.
+allow rs { app_data_file privapp_data_file }:dir ra_dir_perms;
 allow rs app_exec_data_file:file create_file_perms;
 type_transition rs app_data_file:file app_exec_data_file;
+type_transition rs privapp_data_file:file app_exec_data_file;
 
 # Follow /data/user/0 symlink
 allow rs system_data_file:lnk_file read;
 
 # Read files from the app home directory.
-allow rs app_data_file:file r_file_perms;
-allow rs app_data_file:dir r_dir_perms;
+allow rs { app_data_file privapp_data_file }:file r_file_perms;
+allow rs { app_data_file privapp_data_file }:dir r_dir_perms;
 
 # Cleanup app_exec_data_file files in the app home directory.
-allow rs app_data_file:dir remove_name;
+allow rs { app_data_file privapp_data_file }:dir remove_name;
 
 # Use vendor resources
 allow rs vendor_file:dir r_dir_perms;
@@ -27,7 +28,7 @@
 allow rs same_process_hal_file:file { r_file_perms execute };
 
 # File descriptors passed from app to renderscript
-allow rs { untrusted_app_all ephemeral_app }:fd use;
+allow rs { untrusted_app_all ephemeral_app priv_app }:fd use;
 
 # rs can access app data, so ensure it can only be entered via an app domain and cannot have
 # CAP_DAC_OVERRIDE.

diff --git a/private/zygote.te b/private/zygote.te
index 9038c4f..dd42a81 100644
--- a/private/zygote.te
+++ b/private/zygote.te

@@ -69,8 +69,8 @@
 # Zygote opens /mnt/expand to mount CE DE storage on each vol
 allow zygote mnt_expand_file:dir { open read search relabelto };
 
-# Bind mount subdirectories on /data/misc/profiles/cur
-allow zygote user_profile_root_file:dir { mounton search };
+# Bind mount subdirectories on /data/misc/profiles/cur and /data/misc/profiles/ref
+allow zygote { user_profile_root_file user_profile_data_file }:dir { mounton search };
 
 # Create and bind dirs on /data/data
 allow zygote tmpfs:dir { create_dir_perms mounton };