Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 90cf5a7fb34e586ac1676f3f8fc66b64bfebf8a7^! / . / private
commit90cf5a7fb34e586ac1676f3f8fc66b64bfebf8a7[log] [tgz]
authorTri Vo <trong@google.com>Thu Oct 18 12:39:35 2018 -0700
committerTri Vo <trong@google.com>Fri Oct 26 18:03:01 2018 +0000
tree0899ce76271ce1f1d6d4c09955f6b38e935b507a
parent564eb9d6d679cac9a865ffd11178dc81c2a211cc [diff]
same_process_hal_file: access to individual coredomains

Remove blanket coredomain access to same_process_hal_file in favor of
granular access. This change takes into account audits from go/sedenials
(our internal dogfood program)

Bug: 37211678
Test: m selinux_policy
Change-Id: I5634fb65c72d13007e40c131a600585a05b8c4b5

diff --git a/private/isolated_app.te b/private/isolated_app.te
index 95b008d..85e80a5 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te

@@ -47,12 +47,6 @@
 # suppress denials to /data/local/tmp
 dontaudit isolated_app shell_data_file:dir search;
 
-# TODO(b/37211678): give isolated_app explicit access to same_process_hal_file
-# if needed.
-userdebug_or_eng(`
-  auditallow isolated_app same_process_hal_file:file *;
-')
-
 # Write app-specific trace data to the Perfetto traced damon. This requires
 # connecting to its producer socket and obtaining a (per-process) tmpfs fd.
 allow isolated_app traced:fd use;

diff --git a/private/system_server.te b/private/system_server.te
index 048e5b2..42a89d4 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -234,6 +234,7 @@
 
 # Use RenderScript always-passthrough HAL
 allow system_server hal_renderscript_hwservice:hwservice_manager find;
+allow system_server same_process_hal_file:file { execute read open getattr map };
 
 # Offer HwBinder services
 add_hwservice(system_server, fwk_scheduler_hwservice)

diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index ea01412..75f70ac 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te

@@ -70,6 +70,8 @@
 # Allow apps access to /vendor/overlay
 r_dir_file(webview_zygote, vendor_overlay_file)
 
+allow webview_zygote same_process_hal_file:file { execute read open getattr map };
+
 #####
 ##### Neverallow
 #####

diff --git a/private/zygote.te b/private/zygote.te
index ec04d8f..0e21d51 100644
--- a/private/zygote.te
+++ b/private/zygote.te

@@ -114,6 +114,8 @@
 allow zygote ion_device:chr_file r_file_perms;
 allow zygote tmpfs:dir r_dir_perms;
 
+allow zygote same_process_hal_file:file { execute read open getattr map };
+
 # Let the zygote access overlays so it can initialize the AssetManager.
 get_prop(zygote, overlay_prop)
 get_prop(zygote, exported_overlay_prop)