Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e61f6cdc authored by codeworkx's avatar codeworkx
Browse files

selinux: add domain for snap 

Snap needs to read vendor files on treble enabled devices.

This is based on policies written by Eino-Ville Talvala <etalvala@google.com> for Google camera
app.

Change-Id: Ia4f3da3fa20ff894b5b202f6691e8f2c03f06e7f
parent f1ad3210

common/private/seapp_contexts

0 → 100644
+1 −0
Original line number Diff line number Diff line 
user=_app isPrivApp=true seinfo=platform name=org.lineageos.snap domain=snap_app type=app_data_file levelFrom=user

common/private/snap_app.te

0 → 100644
+33 −0
Original line number Diff line number Diff line 
type snap_app, domain, coredomain;



app_domain(snap_app)

net_domain(snap_app)



# Access standard system services

allow snap_app app_api_service:service_manager find;

allow snap_app audioserver_service:service_manager find;

allow snap_app cameraserver_service:service_manager find;

allow snap_app drmserver_service:service_manager find;

allow snap_app mediacodec_service:service_manager find;

allow snap_app mediaextractor_service:service_manager find;

allow snap_app mediaserver_service:service_manager find;

allow snap_app mediametrics_service:service_manager find;

allow snap_app nfc_service:service_manager find;

allow snap_app surfaceflinger_service:service_manager find;



allow snap_app hidl_token_hwservice:hwservice_manager find;



# Allow to read and execute camera app modules

allow snap_app vendor_file:file { rx_file_perms };



# Execute libraries from RenderScript cache

allow snap_app app_data_file:file { rx_file_perms };



# Read memory info

allow snap_app proc_meminfo:file r_file_perms;



# gdbserver / stack traces

allow snap_app self:process ptrace;



# Read and write system app data files passed over Binder.

allow snap_app system_app_data_file:file { read write getattr };