Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 3359fd3d8c39ac7d9acff3049e92be1c2b954af0^2..3359fd3d8c39ac7d9acff3049e92be1c2b954af0 / .
commit3359fd3d8c39ac7d9acff3049e92be1c2b954af0[log] [tgz]
authorNatasha Lee <natashalee@google.com>Tue Mar 11 17:21:52 2025 -0700
committerGerrit Code Review <noreply-gerritcodereview@google.com>Tue Mar 11 17:21:52 2025 -0700
treea2ff0f07d7dc287e5b88214d50cb033d066467b4
parent19f72c62d40d5882c0838c7640cbe5c1e5650b9d [diff]
parent2e98e6f236f12b2330d1aea54c88d8e0a74e3744 [diff]
Merge "SEPolicy: Add AptX codec and power management properties" into main
diff --git a/public/ioctl_defines b/public/ioctl_defines
index 1dd2e3d..df7d1a2 100644
--- a/public/ioctl_defines
+++ b/public/ioctl_defines

@@ -24,6 +24,7 @@
 define(`APEI_ERST_GET_RECORD_COUNT', `0x80044502')
 define(`APM_IOC_STANDBY', `0x00004101')
 define(`APM_IOC_SUSPEND', `0x00004102')
+define(`ASHMEM_GET_FILE_ID', `0x8008770b')
 define(`ASHMEM_GET_NAME', `0x81007702')
 define(`ASHMEM_GET_PIN_STATUS', `0x00007709')
 define(`ASHMEM_GET_PROT_MASK', `0x00007706')
@@ -726,6 +727,9 @@
 define(`F2FS_IOC_SET_COMPRESS_OPTION', `0xf516')
 define(`F2FS_IOC_DECOMPRESS_FILE', `0xf517')
 define(`F2FS_IOC_COMPRESS_FILE', `0xf518')
+define(`F2FS_IOC_START_ATOMIC_REPLACE', `0xf519')
+define(`F2FS_IOC_GET_DEV_ALIAS_FILE', `0xf51a')
+define(`F2FS_IOC_IO_PRIO', `0xf51b')
 define(`F2FS_IOC_SHUTDOWN', `0x587d')
 define(`FAT_IOCTL_GET_ATTRIBUTES', `0x80047210')
 define(`FAT_IOCTL_GET_VOLUME_ID', `0x80047213')

diff --git a/public/ioctl_macros b/public/ioctl_macros
index 64ee1b0..6757acd 100644
--- a/public/ioctl_macros
+++ b/public/ioctl_macros

@@ -75,3 +75,10 @@
 BINDER_SET_CONTEXT_MGR_EXT BINDER_ENABLE_ONEWAY_SPAM_DETECTION
 BINDER_GET_EXTENDED_ERROR
 }')
+
+# ashmem ioctls to be used on memfds for compatibility
+define(`ashmem_ioctls', `{
+ASHMEM_SET_NAME ASHMEM_GET_NAME ASHMEM_SET_SIZE ASHMEM_GET_SIZE
+ASHMEM_SET_PROT_MASK ASHMEM_GET_PROT_MASK ASHMEM_PIN ASHMEM_UNPIN
+ASHMEM_GET_PIN_STATUS ASHMEM_PURGE_ALL_CACHES ASHMEM_GET_FILE_ID
+}')

diff --git a/public/te_macros b/public/te_macros
index 2ba15b3..78e75a0 100644
--- a/public/te_macros
+++ b/public/te_macros

@@ -75,7 +75,8 @@
 # Allow access to a unique type for this domain when creating tmpfs / ashmem files.
 define(`tmpfs_domain', `
 type_transition $1 tmpfs:file $1_tmpfs;
-allow $1 $1_tmpfs:file { read write getattr map };
+allow $1 $1_tmpfs:file { read write getattr map ioctl };
+allowxperm $1 $1_tmpfs:file ioctl ashmem_ioctls;
 ')
 
 # pdx macros for IPC. pdx is a high-level name which contains transport-specific
@@ -243,7 +244,8 @@
 # Label tmpfs objects for all apps.
 type_transition $1 tmpfs:file appdomain_tmpfs;
 userfaultfd_use($1)
-allow $1 appdomain_tmpfs:file { execute getattr map read write };
+allow $1 appdomain_tmpfs:file { execute getattr map read write ioctl };
+allowxperm $1 appdomain_tmpfs:file ioctl ashmem_ioctls;
 neverallow { $1 -runas_app -shell -simpleperf } { domain -$1 }:file no_rw_file_perms;
 neverallow { appdomain -runas_app -shell -simpleperf -$1 } $1:file no_rw_file_perms;
 # The Android security model guarantees the confidentiality and integrity