From b7baa7fd2f69e5b618e1617db018b2af9278b212 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Wed, 9 Dec 2015 12:19:35 -0800
Subject: [PATCH] autoplay_app: access to services and other permissions

Change-Id: I01bb0ad7c93e807cd76135bce554abf0908a54ab
---
 autoplay_app.te | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/autoplay_app.te b/autoplay_app.te
index 19e337b02..adce9a4ff 100644
--- a/autoplay_app.te
+++ b/autoplay_app.te
@@ -22,6 +22,9 @@ tmpfs_domain(autoplay_app)
 # Map with PROT_EXEC.
 allow autoplay_app autoplay_app_tmpfs:file execute;
 
+# Read system properties managed by zygote.
+allow autoplay_app zygote_tmpfs:file read;
+
 # Send logcat messages to logd.
 write_logd(autoplay_app)
 
@@ -81,6 +84,18 @@ allow autoplay_app system_data_file:lnk_file read;
 # System file accesses. Check for libraries
 allow autoplay_app system_file:dir getattr;
 
+# services
+allow autoplay_app accessibility_service:service_manager find;
+allow autoplay_app activity_service:service_manager find;
+allow autoplay_app assetatlas_service:service_manager find;
+allow autoplay_app connectivity_service:service_manager find;
+allow autoplay_app display_service:service_manager find;
+allow autoplay_app graphicsstats_service:service_manager find;
+allow autoplay_app input_method_service:service_manager find;
+allow autoplay_app input_service:service_manager find;
+allow autoplay_app surfaceflinger_service:service_manager find;
+allow autoplay_app textservices_service:service_manager find;
+
 ###
 ### neverallow rules
 ###
@@ -97,3 +112,6 @@ neverallow autoplay_app debugfs:file read;
 
 # execute gpu_device
 neverallow autoplay_app gpu_device:chr_file execute;
+
+# access files in /sys with the default sysfs label
+neverallow autoplay_app sysfs:file *;
-- 
GitLab