Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 737b098a71da1c6991ce46fb85ee1bc072049155^! / . / private
commit737b098a71da1c6991ce46fb85ee1bc072049155[log] [tgz]
authorHongguang <hgchen@google.com>Wed Jun 09 09:36:39 2021 -0700
committerHongguang <hgchen@google.com>Tue Jun 15 09:51:05 2021 -0700
treef95a1f386fb49d78c3b9b330de7a673f884a2b1c
parentab8d2f0178da9967dce06aa8601f01812d467d99 [diff]
Allow priv_app to run the renderscript compiler.

Bug: 157478854
Test: manual test and check selinux log in logcat.
Change-Id: I0bebcc6b8e4ad7dfeeb0d1c20b3d093fd48891de

diff --git a/private/priv_app.te b/private/priv_app.te
index 63a9cbf..3ceb7a3 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te

@@ -189,6 +189,14 @@
 # allow priv app to access the system app data files for ContentProvider case.
 allow priv_app system_app_data_file:file { read getattr };
 
+# Allow the renderscript compiler to be run.
+domain_auto_trans(priv_app, rs_exec, rs)
+
+# Allow loading and deleting executable shared libraries
+# within an application home directory. Such shared libraries would be
+# created by things like renderscript or via other mechanisms.
+allow priv_app app_exec_data_file:file { r_file_perms execute unlink };
+
 ###
 ### neverallow rules
 ###

diff --git a/private/rs.te b/private/rs.te
index bf10841..268f040 100644
--- a/private/rs.te
+++ b/private/rs.te

@@ -1,18 +1,19 @@
-# Any files which would have been created as app_data_file
-# will be created as app_exec_data_file instead.
-allow rs app_data_file:dir ra_dir_perms;
+# Any files which would have been created as app_data_file and
+# privapp_data_file will be created as app_exec_data_file instead.
+allow rs { app_data_file privapp_data_file }:dir ra_dir_perms;
 allow rs app_exec_data_file:file create_file_perms;
 type_transition rs app_data_file:file app_exec_data_file;
+type_transition rs privapp_data_file:file app_exec_data_file;
 
 # Follow /data/user/0 symlink
 allow rs system_data_file:lnk_file read;
 
 # Read files from the app home directory.
-allow rs app_data_file:file r_file_perms;
-allow rs app_data_file:dir r_dir_perms;
+allow rs { app_data_file privapp_data_file }:file r_file_perms;
+allow rs { app_data_file privapp_data_file }:dir r_dir_perms;
 
 # Cleanup app_exec_data_file files in the app home directory.
-allow rs app_data_file:dir remove_name;
+allow rs { app_data_file privapp_data_file }:dir remove_name;
 
 # Use vendor resources
 allow rs vendor_file:dir r_dir_perms;
@@ -27,7 +28,7 @@
 allow rs same_process_hal_file:file { r_file_perms execute };
 
 # File descriptors passed from app to renderscript
-allow rs { untrusted_app_all ephemeral_app }:fd use;
+allow rs { untrusted_app_all ephemeral_app priv_app }:fd use;
 
 # rs can access app data, so ensure it can only be entered via an app domain and cannot have
 # CAP_DAC_OVERRIDE.