diff options
author | Nick Bray <ncbray@google.com> | 2017-04-04 17:07:46 -0700 |
---|---|---|
committer | Nick Bray <ncbray@google.com> | 2017-04-07 10:36:38 -0700 |
commit | 850f8473e581b48cfc06de0089cd0e3e02e34eb4 (patch) | |
tree | 723a947c024d7e85124690317b2ca432a248f8b0 /vrcore/sepolicy/vrcore_app.te | |
parent | 25a8008ed022ab9d7c69362bb575e653f0210d3f (diff) | |
download | device_google_vrservices-850f8473e581b48cfc06de0089cd0e3e02e34eb4.tar.gz device_google_vrservices-850f8473e581b48cfc06de0089cd0e3e02e34eb4.tar.bz2 device_google_vrservices-850f8473e581b48cfc06de0089cd0e3e02e34eb4.zip |
App-specific SELinux domain for VrCore.
Move VrCore from untrusted_app_25 into its own domain so we can have
finer control of its IPC surface.
Bug: 36367417
Test: manual
Change-Id: Ib02a58a0a45b7b86c05e3e585437b2f9d68687fe
Diffstat (limited to 'vrcore/sepolicy/vrcore_app.te')
-rw-r--r-- | vrcore/sepolicy/vrcore_app.te | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/vrcore/sepolicy/vrcore_app.te b/vrcore/sepolicy/vrcore_app.te new file mode 100644 index 0000000..4515b50 --- /dev/null +++ b/vrcore/sepolicy/vrcore_app.te @@ -0,0 +1,36 @@ +### +### VrCore was historically an untrusted_app, but it was moved into its own +### domain to tighten access to VrCore-specific IPC services and +### opportunistically eliminate legacy untrusted_app rules. +### + +type vrcore_app, domain; + +app_domain(vrcore_app) +net_domain(vrcore_app) +bluetooth_domain(vrcore_app) + +# Services from untrusted_app_all. +# Should be kept in sync with untrusted_app_all. +allow vrcore_app audioserver_service:service_manager find; +allow vrcore_app cameraserver_service:service_manager find; +allow vrcore_app drmserver_service:service_manager find; +allow vrcore_app mediaserver_service:service_manager find; +allow vrcore_app mediaextractor_service:service_manager find; +allow vrcore_app mediametrics_service:service_manager find; +allow vrcore_app mediadrmserver_service:service_manager find; +allow vrcore_app mediacasserver_service:service_manager find; +allow vrcore_app nfc_service:service_manager find; +allow vrcore_app radio_service:service_manager find; +allow vrcore_app surfaceflinger_service:service_manager find; +allow vrcore_app app_api_service:service_manager find; + +# VrCore-specific services. +allow vrcore_app vr_manager_service:service_manager find; + +# gdbserver for ndk-gdb ptrace attaches to app process. +allow vrcore_app self:process ptrace; + +# Access to /data/media for screenshots. +allow vrcore_app media_rw_data_file:dir create_dir_perms; +allow vrcore_app media_rw_data_file:file create_file_perms; |