diff options
| author | Nolen Johnson <johnsonnolen@gmail.com> | 2022-04-17 20:52:08 -0400 |
|---|---|---|
| committer | Nolen Johnson <johnsonnolen@gmail.com> | 2022-04-18 01:54:06 +0100 |
| commit | 2819ec79d749830aa4c9027f01228cd86b3eb136 (patch) | |
| tree | 78f24c688b50d9922a654df60fc015be4047091b | |
| parent | 0dbc59f3b7e16a80ef44207f764710c1abb8071a (diff) | |
atv: Update mediashell_app policy
* Direct copy of google's provided template for this.
Change-Id: I1871b1ece6b6ef73b3eafaeb11288a0d882d2c2b
| -rw-r--r-- | atv/private/mediashell_app.te | 27 | ||||
| -rw-r--r-- | atv/private/seapp_contexts | 1 |
2 files changed, 19 insertions, 9 deletions
diff --git a/atv/private/mediashell_app.te b/atv/private/mediashell_app.te index eb382ce..5574f1c 100644 --- a/atv/private/mediashell_app.te +++ b/atv/private/mediashell_app.te @@ -1,17 +1,15 @@ +# Domains needed by mediashell_app + type mediashell_app, domain, coredomain; app_domain(mediashell_app); -bluetooth_domain(mediashell_app); net_domain(mediashell_app); +bluetooth_domain(mediashell_app); -userdebug_or_eng(` - allow mediashell_app shell_data_file:file r_file_perms; - allow mediashell_app shell_data_file:dir r_dir_perms; -') - -allow mediashell_app audioserver:fifo_file { write }; - +# Find services that expose both @SystemAPI and normal APIs. allow mediashell_app app_api_service:service_manager find; +allow mediashell_app system_api_service:service_manager find; + allow mediashell_app audioserver_service:service_manager find; allow mediashell_app cameraserver_service:service_manager find; allow mediashell_app drmserver_service:service_manager find; @@ -22,6 +20,17 @@ allow mediashell_app mediaserver_service:service_manager find; allow mediashell_app network_watchlist_service:service_manager find; allow mediashell_app nfc_service:service_manager find; allow mediashell_app radio_service:service_manager find; -allow mediashell_app system_api_service:service_manager find; +# Chromium provides infrastructure to load flags from a static file path for +# testing purposes. Allow this on debug/eng builds only. +userdebug_or_eng(` + allow mediashell_app shell_data_file:file r_file_perms; + allow mediashell_app shell_data_file:dir r_dir_perms; +') + +# MediaShell's Chromium crashpad uses the dynamic linker to load native +# executables from an APK on Q+ and ptrace to report logs to Google Home App. +allow mediashell_app system_linker_exec:file execute_no_trans; allow mediashell_app self:process ptrace; + +allow mediashell_app audioserver:fifo_file { write }; diff --git a/atv/private/seapp_contexts b/atv/private/seapp_contexts index b32c255..675c0cb 100644 --- a/atv/private/seapp_contexts +++ b/atv/private/seapp_contexts @@ -1 +1,2 @@ +# AndroidMediaShell (mediashell_app) access to Widevine user=_app isPrivApp=true seinfo=mediashell domain=mediashell_app name=com.google.android.apps.mediashell type=app_data_file levelFrom=all |