Allow binder IPC between ephemeral app and appdomain

Address denial type=1400 audit(0.0:42): avc: denied { call } for scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:r:ephemeral_app:s0:c207,c258,c512,c768 tclass=binder Test: Above denial no longer happens Change-Id: I351269ee4671cfd51c981d3db5d0f3944d14e702

Allow binder IPC between ephemeral app and appdomain
Address denial type=1400 audit(0.0:42): avc: denied { call } for scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:r:ephemeral_app:s0:c207,c258,c512,c768 tclass=binder Test: Above denial no longer happens Change-Id: I351269ee4671cfd51c981d3db5d0f3944d14e702
641d5d8f · Chad Brubaker · d57dd813 · 641d5d8f · 641d5d8f
Commit 641d5d8f authored 8 years ago by Chad Brubaker
--- a/public/app.te
+++ b/public/app.te
@@ -154,6 +154,8 @@ binder_use(appdomain)
 binder_call(appdomain, binderservicedomain)
 # Perform binder IPC to other apps.
 binder_call(appdomain, appdomain)
+# Perform binder IPC to ephemeral apps.
+binder_call(appdomain, ephemeral_app)

 # Already connected, unnamed sockets being passed over some other IPC
 # hence no sock_file or connectto permission. This appears to be how

--- a/public/ephemeral_app.te
+++ b/public/ephemeral_app.te
@@ -54,6 +54,8 @@ binder_use(ephemeral_app)
 # Perform binder IPC to binder services.
 binder_call(ephemeral_app, surfaceflinger)
 binder_call(ephemeral_app, system_server)
+# Perform binder IPC to apps.
+binder_call(ephemeral_app, appdomain)

 # Allow read access to ion memory allocation device
 allow ephemeral_app ion_device:chr_file { read open };