Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / d9dcea570c22d8528dab0a535e1e5782ce523e26
commitd9dcea570c22d8528dab0a535e1e5782ce523e26[log] [tgz]
authorTri Vo <trong@google.com>Thu Oct 03 14:17:05 2019 -0700
committerTri Vo <trong@google.com>Mon Oct 07 14:13:35 2019 -0700
treece085668b5a048fb123dcf8ad216f476b021e94f
parent0c8a90693ab273a6c10624d65310fb9c37f0a5f0 [diff]
sepolicy: rework ashmem_device permissions

Only allow apps targetting < Q and ephemeral apps to open /dev/ashmem.
Ephemeral apps are not distinguishable based on target API. So allow
ephemeral_app to open /dev/ashmem for compatibility reasons.

For sake of simplicity, allow all domains /dev/ashmem permissions other
than "open". Reason being that once we can remove "open" access
everywhere, we can remove the device altogether along with  other
permission.

Bug: 134434505
Test: boot crosshatch; browse internet, take picture;
no ashmem_device denials
Change-Id: Ib4dddc47fcafb2697795538cdf055f305fa77799
6 files changed
tree: ce085668b5a048fb123dcf8ad216f476b021e94f
  1. apex/
  2. build/
  3. prebuilts/
  4. private/
  5. public/
  6. reqd_mask/
  7. tests/
  8. tools/
  9. vendor/
  10. .gitignore
  11. Android.bp
  12. Android.mk
  13. CleanSpec.mk
  14. compat.mk
  15. contexts_tests.mk
  16. definitions.mk
  17. mac_permissions.mk
  18. MODULE_LICENSE_PUBLIC_DOMAIN
  19. NOTICE
  20. OWNERS
  21. policy_version.mk
  22. PREUPLOAD.cfg
  23. README
  24. seapp_contexts.mk
  25. treble_sepolicy_tests_for_release.mk