Allow binder services to r/w su:tcp_socket Test: binderHostDeviceTest Bug: 182914638 Change-Id: I1c8d3b2194bc20bd2bcde566190aa5c73d7e7db9

commit: be04b091bbfcdddcac39b474631c77ed47a1a4aa [log] [tgz]
author: Yifan Hong <elsk@google.com> Mon Jun 07 12:37:31 2021 -0700
committer: Yifan Hong <elsk@google.com> Tue Jun 08 10:39:02 2021 -0700
tree: f2b28f41cfe7a8df57ab15268b724d9c73a3e975
parent: c4efcbdc069bbdba3171ab482ac936c1fed7d11e [diff] [blame]
diff --git a/public/hal_omx.te b/public/hal_omx.te
index 8e74383..2611dcd 100644
--- a/public/hal_omx.te
+++ b/public/hal_omx.te

@@ -46,4 +46,5 @@
 # permissions and be isolated from the rest of the system and network.
 # Lengthier explanation here:
 # https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow hal_omx_server domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow hal_omx_server domain:{ udp_socket rawip_socket } *;
+neverallow hal_omx_server { domain userdebug_or_eng(`-su') }:tcp_socket *;
commit	be04b091bbfcdddcac39b474631c77ed47a1a4aa	[log] [tgz]
author	Yifan Hong <elsk@google.com>	Mon Jun 07 12:37:31 2021 -0700
committer	Yifan Hong <elsk@google.com>	Tue Jun 08 10:39:02 2021 -0700
tree	f2b28f41cfe7a8df57ab15268b724d9c73a3e975
parent	c4efcbdc069bbdba3171ab482ac936c1fed7d11e [diff] [blame]