Allow write access to ashmem allocated regions Allow tmpfs_domains the ability to write to ashmem allocated regions. At least one Google internal app does this, and switching untrusted_app into enforcing causes the following denial: <5>[ 291.791423] type=1400 audit(1385587240.320:79): avc: denied { write } for pid=3774 comm="XXXXXXXXXXXX" path=2F6465762F6173686D656D202864656C6574656429 dev="tmpfs" ino=16937 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:untrusted_app_tmpfs:s0 tclass=file path=/dev/ashmem (deleted) Bug: 11891764 Change-Id: I64d414c055cd02481ebf69994fad65d777d8381d

commit: 476855357b5ec9f59754cdb5aa0f0a6806b34049 [log] [tgz]
author: Nick Kralevich <nnk@google.com> Wed Nov 27 13:33:04 2013 -0800
committer: Nick Kralevich <nnk@google.com> Wed Nov 27 13:36:48 2013 -0800
tree: 080ffdeb052b5b17dad19415cb113769e71e066a
parent: 2ffd52a47283681e8a9034327930a0dbea98b77c [diff]
diff --git a/te_macros b/te_macros
index c7c93aa..7be9d59 100644
--- a/te_macros
+++ b/te_macros

@@ -89,7 +89,7 @@
 type $1_tmpfs, file_type;
 type_transition $1 tmpfs:file $1_tmpfs;
 # Map with PROT_EXEC.
-allow $1 $1_tmpfs:file { read execute execmod };
+allow $1 $1_tmpfs:file { read write execute execmod };
 ')
 
 #####################################
commit	476855357b5ec9f59754cdb5aa0f0a6806b34049	[log] [tgz]
author	Nick Kralevich <nnk@google.com>	Wed Nov 27 13:33:04 2013 -0800
committer	Nick Kralevich <nnk@google.com>	Wed Nov 27 13:36:48 2013 -0800
tree	080ffdeb052b5b17dad19415cb113769e71e066a
parent	2ffd52a47283681e8a9034327930a0dbea98b77c [diff]