Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / b7246ac0b624da3cc65586f3a9aa255e6c959262 / . / private / rs.te
blob: 56f8dfcc7f78de028fcd612c3875237a5676f174 [file] [log] [blame]
Nick Kralevich0eb0a162018-12-12 09:06:05 -0800[diff] [blame]1# Any files which would have been created as app_data_file
2# will be created as rs_data_file instead.
3allow rs app_data_file:dir ra_dir_perms;
4allow rs rs_data_file:file create_file_perms;
5type_transition rs app_data_file:file rs_data_file;
6
Nick Kralevich5cbe41b2018-12-19 12:09:42 -0800[diff] [blame]7# Follow /data/user/0 symlink
8allow rs system_data_file:lnk_file read;
9
Nick Kralevich0eb0a162018-12-12 09:06:05 -0800[diff] [blame]10# Read files from the app home directory.
11allow rs app_data_file:file r_file_perms;
12allow rs app_data_file:dir r_dir_perms;
13
14# Cleanup rs_data_file files in the app home directory.
15allow rs app_data_file:dir remove_name;
16
17# Use vendor resources
18allow rs vendor_file:dir r_dir_perms;
19r_dir_file(rs, vendor_overlay_file)
20r_dir_file(rs, vendor_app_file)
21
22# Read contents of app apks
23r_dir_file(rs, apk_data_file)
24
25allow rs gpu_device:chr_file rw_file_perms;
26allow rs ion_device:chr_file r_file_perms;
27allow rs same_process_hal_file:file { r_file_perms execute };
28
29# File descriptors passed from app to renderscript
30allow rs untrusted_app_all:fd use;
31
32# TODO: Explain why these dontaudits are needed. Most likely
33# these are file descriptors leaking across an exec() boundary
34# due to a missing O_CLOEXEC / SOCK_CLOEXEC
35dontaudit rs untrusted_app_all:unix_stream_socket { read write };
36dontaudit rs untrusted_app_all:fifo_file { read write };
37
38# TODO: Explain why this is necessary. I think this is a zygote
39# created logging socket and system server parceled file descriptor
40# which is not using the O_CLOEXEC flag.
41dontaudit rs zygote:fd use;
42dontaudit rs system_server:fd use;