| Nick Kralevich | 0eb0a16 | 2018-12-12 09:06:05 -0800 | [diff] [blame] | 1 | type rs, domain, coredomain; |
| 2 | type rs_exec, system_file_type, exec_type, file_type; |
| 3 | |
| 4 | # Any files which would have been created as app_data_file |
| 5 | # will be created as rs_data_file instead. |
| 6 | allow rs app_data_file:dir ra_dir_perms; |
| 7 | allow rs rs_data_file:file create_file_perms; |
| 8 | type_transition rs app_data_file:file rs_data_file; |
| 9 | |
| 10 | # Read files from the app home directory. |
| 11 | allow rs app_data_file:file r_file_perms; |
| 12 | allow rs app_data_file:dir r_dir_perms; |
| 13 | |
| 14 | # Cleanup rs_data_file files in the app home directory. |
| 15 | allow rs app_data_file:dir remove_name; |
| 16 | |
| 17 | # Use vendor resources |
| 18 | allow rs vendor_file:dir r_dir_perms; |
| 19 | r_dir_file(rs, vendor_overlay_file) |
| 20 | r_dir_file(rs, vendor_app_file) |
| 21 | |
| 22 | # Read contents of app apks |
| 23 | r_dir_file(rs, apk_data_file) |
| 24 | |
| 25 | allow rs gpu_device:chr_file rw_file_perms; |
| 26 | allow rs ion_device:chr_file r_file_perms; |
| 27 | allow rs same_process_hal_file:file { r_file_perms execute }; |
| 28 | |
| 29 | # File descriptors passed from app to renderscript |
| 30 | allow rs untrusted_app_all:fd use; |
| 31 | |
| 32 | # TODO: Explain why these dontaudits are needed. Most likely |
| 33 | # these are file descriptors leaking across an exec() boundary |
| 34 | # due to a missing O_CLOEXEC / SOCK_CLOEXEC |
| 35 | dontaudit rs untrusted_app_all:unix_stream_socket { read write }; |
| 36 | dontaudit rs untrusted_app_all:fifo_file { read write }; |
| 37 | |
| 38 | # TODO: Explain why this is necessary. I think this is a zygote |
| 39 | # created logging socket and system server parceled file descriptor |
| 40 | # which is not using the O_CLOEXEC flag. |
| 41 | dontaudit rs zygote:fd use; |
| 42 | dontaudit rs system_server:fd use; |