1# Any files which would have been created as app_data_file 2# will be created as app_exec_data_file instead. 3allow rs app_data_file:dir ra_dir_perms; 4allow rs app_exec_data_file:file create_file_perms; 5type_transition rs app_data_file:file app_exec_data_file; 6 7# Follow /data/user/0 symlink 8allow rs system_data_file:lnk_file read; 9 10# Read files from the app home directory. 11allow rs app_data_file:file r_file_perms; 12allow rs app_data_file:dir r_dir_perms; 13 14# Cleanup app_exec_data_file files in the app home directory. 15allow rs app_data_file:dir remove_name; 16 17# Use vendor resources 18allow rs vendor_file:dir r_dir_perms; 19r_dir_file(rs, vendor_overlay_file) 20r_dir_file(rs, vendor_app_file) 21 22# Read contents of app apks 23r_dir_file(rs, apk_data_file) 24 25allow rs gpu_device:chr_file rw_file_perms; 26allow rs ion_device:chr_file r_file_perms; 27allow rs same_process_hal_file:file { r_file_perms execute }; 28 29# File descriptors passed from app to renderscript 30allow rs { untrusted_app_all ephemeral_app }:fd use; 31 32# rs can access app data, so ensure it can only be entered via an app domain and cannot have 33# CAP_DAC_OVERRIDE. 34neverallow rs rs:capability_class_set *; 35neverallow { domain -appdomain } rs:process { dyntransition transition }; 36neverallow rs { domain -crash_dump }:process { dyntransition transition }; 37neverallow rs app_data_file:file_class_set ~r_file_perms; 38# rs should never use network sockets 39neverallow rs *:network_socket_class_set *; 40