1# Any files which would have been created as app_data_file and 2# privapp_data_file will be created as app_exec_data_file instead. 3allow rs { app_data_file privapp_data_file }:dir ra_dir_perms; 4allow rs app_exec_data_file:file create_file_perms; 5type_transition rs app_data_file:file app_exec_data_file; 6type_transition rs privapp_data_file:file app_exec_data_file; 7 8# Follow /data/user/0 symlink 9allow rs system_data_file:lnk_file read; 10 11# Read files from the app home directory. 12allow rs { app_data_file privapp_data_file }:file r_file_perms; 13allow rs { app_data_file privapp_data_file }:dir r_dir_perms; 14 15# Cleanup app_exec_data_file files in the app home directory. 16allow rs { app_data_file privapp_data_file }:dir remove_name; 17 18# Use vendor resources 19allow rs vendor_file:dir r_dir_perms; 20r_dir_file(rs, vendor_overlay_file) 21r_dir_file(rs, vendor_app_file) 22# Vendor overlay can be found in vendor apex 23allow rs vendor_apex_metadata_file:dir { getattr search }; 24 25# Read contents of app apks 26r_dir_file(rs, apk_data_file) 27 28allow rs gpu_device:chr_file rw_file_perms; 29allow rs ion_device:chr_file r_file_perms; 30allow rs same_process_hal_file:file { r_file_perms execute }; 31 32# File descriptors passed from app to renderscript 33allow rs { untrusted_app_all ephemeral_app priv_app }:fd use; 34 35# See b/291211299. Since rs is deprecated, this shouldn't be too dangerous, since new 36# renderscript usages shouldn't be popping up. 37dontaudit rs { zygote surfaceflinger hal_graphics_allocator }:fd use; 38 39# rs can access app data, so ensure it can only be entered via an app domain and cannot have 40# CAP_DAC_OVERRIDE. 41neverallow rs rs:capability_class_set *; 42neverallow { domain -appdomain } rs:process { dyntransition transition }; 43neverallow rs { domain -crash_dump }:process { dyntransition transition }; 44neverallow rs app_data_file_type:file_class_set ~r_file_perms; 45# rs should never use network sockets 46neverallow rs *:network_socket_class_set *; 47