From dd253e9019ec3ab4700550cf2491aa1cbdc4e8c9 Mon Sep 17 00:00:00 2001
From: Tri Vo <trong@google.com>
Date: Mon, 6 Aug 2018 16:25:36 -0700
Subject: [PATCH] Add support for RS vendor executables.

/vendor/bin/bcc being a dependency of renderscript should be labeled as
same_process_hal_file. To facilitate that we relax neverallow rules for
executing same_process_hal_file from coredomain.

See details on /vendor/bin/bcc:
https://source.android.com/devices/architecture/vndk/renderscript

Bug: n/a
Test: build-time change
Change-Id: Ie996fb863090bf08b3d3ef653da827d0b22937d7
---
 public/domain.te | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/public/domain.te b/public/domain.te
index a049094c0..f9923ed1c 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1036,7 +1036,10 @@ full_treble_only(`
       coredomain
       -shell
       -system_executes_vendor_violators
-    } vendor_file_type:file execute_no_trans;
+    } {
+      vendor_file_type
+      -same_process_hal_file
+    }:file execute_no_trans;
 ')
 
 # Only authorized processes should be writing to files in /data/dalvik-cache
-- 
GitLab