PWN-Hunter/android_system_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

rs.te: Allow ephemeral_app FD use

Browse Source 
Allow renderscript to use file descriptors created by ephemeral apps.
This is needed to support renderscript execution by ephemeral apps.

Steps to reproduce:

  atest com.google.android.pm.gts.PackageManagerHostTest#testRenderScriptLoading

Expected:

  Test passes

Actual:
  03-26 03:33:45.373  4607  4607 F linker  : CANNOT LINK EXECUTABLE "/system/bin/bcc": can't enable GNU RELRO protection for "": Permission denied
  03-26 03:33:45.373  4566  4600 E RenderScript: Child process "/system/bin/bcc" terminated with status 256
  03-26 03:33:45.373  4566  4600 E RenderScript: bcc: FAILS to compile 'init_test'
  03-26 03:33:45.374  4566  4596 E TestRunner: failed: testRenderScriptLoading(com.google.android.gts.packagemanager.InstantAppTestCases)
  03-26 03:33:45.375  4566  4596 E TestRunner: ----- begin exception -----
  03-26 03:33:45.375  4566  4596 E TestRunner: java.lang.AssertionError: Instant App should be able to access RenderScript APIs.
  03-26 03:33:45.375  4566  4596 E TestRunner:  at org.junit.Assert.fail(Assert.java:88)
  03-26 03:33:45.375  4566  4596 E TestRunner:  at com.google.android.gts.packagemanager.InstantAppTestCases.testRenderScriptLoading(InstantAppTestCases.java:338)
  03-26 03:33:45.375  4566  4596 E TestRunner:  at java.lang.reflect.Method.invoke(Native Method)
  03-26 03:33:45.375  4566  4596 E TestRunner:  at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:50)

Additional notes: Confusingly ephemeral_app is not part of untrusted_app_all,
but it is part of all_untrusted_apps, which is used for neverallow
assertions.

Bug: 129356700
Test: atest com.google.android.pm.gts.PackageManagerHostTest#testRenderScriptLoading
Change-Id: I47781012b9fd2cd1d03a3d50bed0c693bcf9ec7b
This commit is contained in:
Nick Kralevich 2019-04-02 13:48:39 -07:00
parent f99aa3cb66
commit 99a5103585
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
private/rs.te
View File

@ -27,7 +27,7 @@ allow rs ion_device:chr_file r_file_perms;
allow rs same_process_hal_file:file { r_file_perms execute };
# File descriptors passed from app to renderscript
allow rs untrusted_app_all:fd use;
allow rs { untrusted_app_all ephemeral_app }:fd use;
# rs can access app data, so ensure it can only be entered via an app domain and cannot have
# CAP_DAC_OVERRIDE.