From 641d5d8f9b0d3c425ec0b10da1804532c65a21d3 Mon Sep 17 00:00:00 2001
From: Chad Brubaker <cbrubaker@google.com>
Date: Mon, 14 Nov 2016 12:21:51 -0800
Subject: [PATCH] Allow binder IPC between ephemeral app and appdomain

Address denial type=1400 audit(0.0:42): avc: denied { call } for
scontext=u:r:untrusted_app:s0:c512,c768
tcontext=u:r:ephemeral_app:s0:c207,c258,c512,c768 tclass=binder

Test: Above denial no longer happens
Change-Id: I351269ee4671cfd51c981d3db5d0f3944d14e702
---
 public/app.te           | 2 ++
 public/ephemeral_app.te | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/public/app.te b/public/app.te
index 064b25f16..77af57c8c 100644
--- a/public/app.te
+++ b/public/app.te
@@ -154,6 +154,8 @@ binder_use(appdomain)
 binder_call(appdomain, binderservicedomain)
 # Perform binder IPC to other apps.
 binder_call(appdomain, appdomain)
+# Perform binder IPC to ephemeral apps.
+binder_call(appdomain, ephemeral_app)
 
 # Already connected, unnamed sockets being passed over some other IPC
 # hence no sock_file or connectto permission. This appears to be how
diff --git a/public/ephemeral_app.te b/public/ephemeral_app.te
index 0f5b4b123..bef547296 100644
--- a/public/ephemeral_app.te
+++ b/public/ephemeral_app.te
@@ -54,6 +54,8 @@ binder_use(ephemeral_app)
 # Perform binder IPC to binder services.
 binder_call(ephemeral_app, surfaceflinger)
 binder_call(ephemeral_app, system_server)
+# Perform binder IPC to apps.
+binder_call(ephemeral_app, appdomain)
 
 # Allow read access to ion memory allocation device
 allow ephemeral_app ion_device:chr_file { read open };
-- 
GitLab