commit b7baa7fd2f69e5b618e1617db018b2af9278b212
author Jeff Vander Stoep <jeffv@google.com> Wed Dec 09 12:19:35 2015 -0800
committer Jeff Vander Stoep <jeffv@google.com> Wed Dec 09 12:36:09 2015 -0800
tree fb2f81328e3ae90ff81b833793949246c5b202f4
parent ea285aaafac6ab30cee899ba731a4b8ef371da6b

autoplay_app: access to services and other permissions

Change-Id: I01bb0ad7c93e807cd76135bce554abf0908a54ab

autoplay_app.te

diff --git a/autoplay_app.te b/autoplay_app.te
index 19e337b..adce9a4 100644
--- a/autoplay_app.te
+++ b/autoplay_app.te
@@ -22,6 +22,9 @@
 # Map with PROT_EXEC.
 allow autoplay_app autoplay_app_tmpfs:file execute;
 
+# Read system properties managed by zygote.
+allow autoplay_app zygote_tmpfs:file read;
+
 # Send logcat messages to logd.
 write_logd(autoplay_app)
 
@@ -81,6 +84,18 @@
 # System file accesses. Check for libraries
 allow autoplay_app system_file:dir getattr;
 
+# services
+allow autoplay_app accessibility_service:service_manager find;
+allow autoplay_app activity_service:service_manager find;
+allow autoplay_app assetatlas_service:service_manager find;
+allow autoplay_app connectivity_service:service_manager find;
+allow autoplay_app display_service:service_manager find;
+allow autoplay_app graphicsstats_service:service_manager find;
+allow autoplay_app input_method_service:service_manager find;
+allow autoplay_app input_service:service_manager find;
+allow autoplay_app surfaceflinger_service:service_manager find;
+allow autoplay_app textservices_service:service_manager find;
+
 ###
 ### neverallow rules
 ###
@@ -97,3 +112,6 @@
 
 # execute gpu_device
 neverallow autoplay_app gpu_device:chr_file execute;
+
+# access files in /sys with the default sysfs label
+neverallow autoplay_app sysfs:file *;