Allow priv_app to run the renderscript compiler. am: 737b098a71
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1732952
Bug: 157478854
Test: Manual
Change-Id: I926aa35dcae148ab38629077a9725a6e9263a4be
(cherry picked from commit b264eae769ee4b821fe65b851303ccfe1729d0c7)
diff --git a/prebuilts/api/31.0/private/priv_app.te b/prebuilts/api/31.0/private/priv_app.te
index 63a9cbf..3ceb7a3 100644
--- a/prebuilts/api/31.0/private/priv_app.te
+++ b/prebuilts/api/31.0/private/priv_app.te
@@ -189,6 +189,14 @@
# allow priv app to access the system app data files for ContentProvider case.
allow priv_app system_app_data_file:file { read getattr };
+# Allow the renderscript compiler to be run.
+domain_auto_trans(priv_app, rs_exec, rs)
+
+# Allow loading and deleting executable shared libraries
+# within an application home directory. Such shared libraries would be
+# created by things like renderscript or via other mechanisms.
+allow priv_app app_exec_data_file:file { r_file_perms execute unlink };
+
###
### neverallow rules
###
diff --git a/prebuilts/api/31.0/private/rs.te b/prebuilts/api/31.0/private/rs.te
index bf10841..268f040 100644
--- a/prebuilts/api/31.0/private/rs.te
+++ b/prebuilts/api/31.0/private/rs.te
@@ -1,18 +1,19 @@
-# Any files which would have been created as app_data_file
-# will be created as app_exec_data_file instead.
-allow rs app_data_file:dir ra_dir_perms;
+# Any files which would have been created as app_data_file and
+# privapp_data_file will be created as app_exec_data_file instead.
+allow rs { app_data_file privapp_data_file }:dir ra_dir_perms;
allow rs app_exec_data_file:file create_file_perms;
type_transition rs app_data_file:file app_exec_data_file;
+type_transition rs privapp_data_file:file app_exec_data_file;
# Follow /data/user/0 symlink
allow rs system_data_file:lnk_file read;
# Read files from the app home directory.
-allow rs app_data_file:file r_file_perms;
-allow rs app_data_file:dir r_dir_perms;
+allow rs { app_data_file privapp_data_file }:file r_file_perms;
+allow rs { app_data_file privapp_data_file }:dir r_dir_perms;
# Cleanup app_exec_data_file files in the app home directory.
-allow rs app_data_file:dir remove_name;
+allow rs { app_data_file privapp_data_file }:dir remove_name;
# Use vendor resources
allow rs vendor_file:dir r_dir_perms;
@@ -27,7 +28,7 @@
allow rs same_process_hal_file:file { r_file_perms execute };
# File descriptors passed from app to renderscript
-allow rs { untrusted_app_all ephemeral_app }:fd use;
+allow rs { untrusted_app_all ephemeral_app priv_app }:fd use;
# rs can access app data, so ensure it can only be entered via an app domain and cannot have
# CAP_DAC_OVERRIDE.
diff --git a/private/priv_app.te b/private/priv_app.te
index 63a9cbf..3ceb7a3 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -189,6 +189,14 @@
# allow priv app to access the system app data files for ContentProvider case.
allow priv_app system_app_data_file:file { read getattr };
+# Allow the renderscript compiler to be run.
+domain_auto_trans(priv_app, rs_exec, rs)
+
+# Allow loading and deleting executable shared libraries
+# within an application home directory. Such shared libraries would be
+# created by things like renderscript or via other mechanisms.
+allow priv_app app_exec_data_file:file { r_file_perms execute unlink };
+
###
### neverallow rules
###
diff --git a/private/rs.te b/private/rs.te
index bf10841..268f040 100644
--- a/private/rs.te
+++ b/private/rs.te
@@ -1,18 +1,19 @@
-# Any files which would have been created as app_data_file
-# will be created as app_exec_data_file instead.
-allow rs app_data_file:dir ra_dir_perms;
+# Any files which would have been created as app_data_file and
+# privapp_data_file will be created as app_exec_data_file instead.
+allow rs { app_data_file privapp_data_file }:dir ra_dir_perms;
allow rs app_exec_data_file:file create_file_perms;
type_transition rs app_data_file:file app_exec_data_file;
+type_transition rs privapp_data_file:file app_exec_data_file;
# Follow /data/user/0 symlink
allow rs system_data_file:lnk_file read;
# Read files from the app home directory.
-allow rs app_data_file:file r_file_perms;
-allow rs app_data_file:dir r_dir_perms;
+allow rs { app_data_file privapp_data_file }:file r_file_perms;
+allow rs { app_data_file privapp_data_file }:dir r_dir_perms;
# Cleanup app_exec_data_file files in the app home directory.
-allow rs app_data_file:dir remove_name;
+allow rs { app_data_file privapp_data_file }:dir remove_name;
# Use vendor resources
allow rs vendor_file:dir r_dir_perms;
@@ -27,7 +28,7 @@
allow rs same_process_hal_file:file { r_file_perms execute };
# File descriptors passed from app to renderscript
-allow rs { untrusted_app_all ephemeral_app }:fd use;
+allow rs { untrusted_app_all ephemeral_app priv_app }:fd use;
# rs can access app data, so ensure it can only be entered via an app domain and cannot have
# CAP_DAC_OVERRIDE.