commit 46303aa1f7fcadd8136b401f687cf429fbee4865
author Kalesh Singh <kaleshsingh@google.com> Tue May 21 12:34:22 2019 -0700
committer Kalesh Singh <kaleshsingh@google.com> Wed May 29 14:44:47 2019 -0700
tree accc438c96b083a447105c7e5d535d5ed4d94f6c
parent 0f0fbd44f9bb002c5b35f64918122a56d1d072ea

Sepolicy for IAshmem HIDL interface

Change-Id: Id78f995661120f136d671ea0084db358e7662122
Bug: 133443879
Test: Manually check logcat for sepolicy denials (logcat | grep IAshmem)

private/compat/28.0/28.0.ignore.cil

diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index b7466ac..0abb0b5 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -122,6 +122,7 @@
     su_tmpfs
     super_block_device
     sysfs_fs_f2fs
+    system_ashmem_hwservice
     system_bootstrap_lib_file
     system_event_log_tags_file
     system_lmk_prop

private/hwservice_contexts

diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index f3745a3..9259202 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -76,6 +76,7 @@
 android.hidl.manager::IServiceManager                           u:object_r:hidl_manager_hwservice:s0
 android.hidl.memory::IMapper                                    u:object_r:hidl_memory_hwservice:s0
 android.hidl.token::ITokenManager                               u:object_r:hidl_token_hwservice:s0
+android.system.ashmem::IAshmem                                  u:object_r:system_ashmem_hwservice:s0
 android.system.net.netd::INetd                                  u:object_r:system_net_netd_hwservice:s0
 android.system.suspend::ISystemSuspend                          u:object_r:system_suspend_hwservice:s0
 android.system.wifi.keystore::IKeystore                         u:object_r:system_wifi_keystore_hwservice:s0

public/app.te

diff --git a/public/app.te b/public/app.te
index 5c48e71..36dd5e3 100644
--- a/public/app.te
+++ b/public/app.te
@@ -357,8 +357,8 @@
 allow appdomain system_server_tmpfs:file { getattr map read write };
 allow appdomain zygote_tmpfs:file { map read };
 
-# Allow vendor apps access to ashmemd to request /dev/ashmem fds.
-binder_call({ appdomain -coredomain }, ashmemd)
+# Allow vendor apps access to ashmem_server to request /dev/ashmem fds.
+binder_call({ appdomain -coredomain }, ashmem_server)
 
 ###
 ### Neverallow rules

public/ashmem_server.te

diff --git a/public/ashmem_server.te b/public/ashmem_server.te
new file mode 100644
index 0000000..e36a987
--- /dev/null
+++ b/public/ashmem_server.te
@@ -0,0 +1,3 @@
+hwbinder_use(ashmem_server)
+get_prop(ashmem_server, hwservicemanager_prop)
+add_hwservice(ashmem_server, system_ashmem_hwservice)

public/ashmemd.te

diff --git a/public/ashmemd.te b/public/ashmemd.te
index 542f093..9ead477 100644
--- a/public/ashmemd.te
+++ b/public/ashmemd.te
@@ -1 +1,3 @@
-type ashmemd, domain;
+# TODO(b/133869224): Make private once ashmemd
+# is cleaned up from vendor sepolicy.
+type ashmemd, domain, ashmem_server;

public/attributes

diff --git a/public/attributes b/public/attributes
index 67979da..d296a46 100644
--- a/public/attributes
+++ b/public/attributes
@@ -303,6 +303,7 @@
 # from one core domain to another, without having to update the vendor image
 # which contains clients of this service.
 
+attribute ashmem_server;
 attribute camera_service_server;
 attribute display_service_server;
 attribute mediaswcodec_server;

public/domain.te

diff --git a/public/domain.te b/public/domain.te
index c68f5ab..0611892 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -75,7 +75,7 @@
 } ashmem_device:chr_file rw_file_perms;
 
 # Allow using fds to /dev/ashmem.
-allow domain ashmemd:fd use;
+allow domain ashmem_server:fd use;
 
 # /dev/binder can be accessed by non-vendor domains and by apps
 allow {

public/hwservice.te

diff --git a/public/hwservice.te b/public/hwservice.te
index 7425878..670b8b8 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -65,6 +65,7 @@
 type hidl_manager_hwservice, hwservice_manager_type, coredomain_hwservice;
 type hidl_memory_hwservice, hwservice_manager_type, coredomain_hwservice;
 type hidl_token_hwservice, hwservice_manager_type, coredomain_hwservice;
+type system_ashmem_hwservice, hwservice_manager_type, coredomain_hwservice;
 type system_net_netd_hwservice, hwservice_manager_type, coredomain_hwservice;
 type system_suspend_hwservice, hwservice_manager_type, coredomain_hwservice;
 type system_wifi_keystore_hwservice, hwservice_manager_type, coredomain_hwservice;

public/installd.te

diff --git a/public/installd.te b/public/installd.te
index 04922f5..cec3d91 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -170,7 +170,7 @@
 neverallow { domain -system_server -dumpstate } installd:binder call;
 neverallow installd {
     domain
-    -ashmemd
+    -ashmem_server
     -system_server
     -servicemanager
     userdebug_or_eng(`-su')

public/vold.te

diff --git a/public/vold.te b/public/vold.te
index 2a278eb..3a38ba5 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -302,7 +302,7 @@
 
 neverallow vold {
   domain
-  -ashmemd
+  -ashmem_server
   -hal_health_storage_server
   -hal_keymaster_server
   -system_suspend_server