Skip to content
Snippets Groups Projects
Commit 5a51f12b authored by Tri Vo's avatar Tri Vo Committed by android-build-merger
Browse files

Audit access to same_process_hal_file. am: 81ade3dd

am: 3026dc73

Change-Id: I29122d28a7704c9d944990adc80d7ea5192924f5
parents c6893fb4 3026dc73
No related branches found
No related tags found
No related merge requests found
......@@ -47,6 +47,12 @@ allow isolated_app webview_zygote_tmpfs:file read;
# suppress denials to /data/local/tmp
dontaudit isolated_app shell_data_file:dir search;
# TODO(b/37211678): give isolated_app explicit access to same_process_hal_file
# if needed.
userdebug_or_eng(`
auditallow isolated_app same_process_hal_file:file *;
')
# Write app-specific trace data to the Perfetto traced damon. This requires
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
allow isolated_app traced:fd use;
......
......@@ -188,7 +188,22 @@ allow domain vendor_hal_file:dir r_dir_perms;
# Everyone can read and execute all same process HALs
allow domain same_process_hal_file:dir r_dir_perms;
# TODO(b/37211678): whitelist domains that actually need same process HALs.
allow domain same_process_hal_file:file { execute read open getattr map };
# Touching same_process_hal_file indicates usage of SP-HALs or abuse of
# same_process_hal_file label, which is what we are interested in.
userdebug_or_eng(`
auditallow {
coredomain
-zygote
-hal_allocator_client
# Graphics mapper clients.
-hal_graphics_allocator_client
# Renderscript clients include { system_server appdomain -isolated_app }.
-appdomain
-system_server
} same_process_hal_file:file *;
')
# Any process can load vndk-sp libraries, which are system libraries
# used by same process HALs
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment