Skip to content
Snippets Groups Projects
Commit 40dcb852 authored by android-build-prod (mdb)'s avatar android-build-prod (mdb)
Browse files

Snap for 4488012 from 473cc5e1 to oreo-cts-release

Change-Id: I4297e356217a28786ba4102c07fd631a229de6af
parents abfb6322 473cc5e1
No related branches found
No related tags found
No related merge requests found
...@@ -19,6 +19,10 @@ app_domain(ephemeral_app) ...@@ -19,6 +19,10 @@ app_domain(ephemeral_app)
# Allow ephemeral apps to read/write files in visible storage if provided fds # Allow ephemeral apps to read/write files in visible storage if provided fds
allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append}; allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append};
# Some apps ship with shared libraries and binaries that they write out
# to their sandbox directory and then execute.
allow ephemeral_app app_data_file:file {r_file_perms execute};
# services # services
allow ephemeral_app audioserver_service:service_manager find; allow ephemeral_app audioserver_service:service_manager find;
allow ephemeral_app cameraserver_service:service_manager find; allow ephemeral_app cameraserver_service:service_manager find;
...@@ -36,8 +40,7 @@ allow ephemeral_app ephemeral_app_api_service:service_manager find; ...@@ -36,8 +40,7 @@ allow ephemeral_app ephemeral_app_api_service:service_manager find;
### neverallow rules ### neverallow rules
### ###
# Executable content should never be loaded from an ephemeral app home directory. neverallow ephemeral_app app_data_file:file execute_no_trans;
neverallow ephemeral_app app_data_file:file { execute execute_no_trans };
# Receive or send uevent messages. # Receive or send uevent messages.
neverallow ephemeral_app domain:netlink_kobject_uevent_socket *; neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment