Revert "sepolicy: rework ashmem_device permissions"
This reverts commit d9dcea570c22d8528dab0a535e1e5782ce523e26.
Reason for revert: http://b/142742451
Change-Id: If46d6dcbb5df21bad8b6a8215d8c21c6b6733476
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 0c8bd4c..e5c6aee 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -238,6 +238,15 @@
# Untrusted apps are not allowed to use cgroups.
neverallow all_untrusted_apps cgroup:file *;
+# Untrusted apps targetting >= Q are not allowed to open /dev/ashmem directly.
+# They must use ASharedMemory NDK API instead.
+neverallow {
+ all_untrusted_apps
+ -ephemeral_app
+ -untrusted_app_25
+ -untrusted_app_27
+} ashmem_device:chr_file open;
+
# /mnt/sdcard symlink was supposed to have been removed in Gingerbread. Apps
# must not use it.
neverallow {
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 94b58de..50cbd8c 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -64,6 +64,8 @@
# debuggable.
can_profile_heap(isolated_app)
+allow isolated_app ashmem_device:chr_file { getattr read ioctl lock map append write };
+
#####
##### Neverallow
#####
diff --git a/private/mediaprovider.te b/private/mediaprovider.te
index 5050e1a..6926412 100644
--- a/private/mediaprovider.te
+++ b/private/mediaprovider.te
@@ -45,3 +45,5 @@
# MtpServer sets sys.usb.ffs.mtp.ready
set_prop(mediaprovider, ffs_prop)
set_prop(mediaprovider, exported_ffs_prop)
+
+allow mediaprovider ashmem_device:chr_file { getattr read ioctl lock map append write };
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 116d761..249c33b 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -176,3 +176,6 @@
allow untrusted_app_all debugfs_kcov:file rw_file_perms;
allowxperm untrusted_app_all debugfs_kcov:file ioctl { KCOV_INIT_TRACE KCOV_ENABLE KCOV_DISABLE };
')
+
+# Allow (rw_file_perms - open) access to /dev/ashmem.
+allow untrusted_app_all ashmem_device:chr_file { getattr read ioctl lock map append write };
diff --git a/public/domain.te b/public/domain.te
index 9ebe4e0..79a9ed4 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -70,11 +70,17 @@
allow domain owntty_device:chr_file rw_file_perms;
allow domain null_device:chr_file rw_file_perms;
allow domain zero_device:chr_file rw_file_perms;
+allow {
+ domain
+ # TODO(b/113362644): route coredomain to libcutils.
+ #-coredomain
+ -mediaprovider
+ -ephemeral_app
+ -isolated_app
+ -untrusted_app_all
+} ashmem_device:chr_file rw_file_perms;
-# /dev/ashmem is being deprecated by means of constraining and eventually
-# removing all "open" permissions. We preserve the other permissions.
-allow domain ashmem_device:chr_file { getattr read ioctl lock map append write };
-# This device is used by libcutils, which is accessible to everyone.
+# This device is used by libcutils.
allow domain ashmem_libcutils_device:chr_file rw_file_perms;
# /dev/binder can be accessed by ... everyone! :)
@@ -1374,12 +1380,3 @@
-hal_codec2_server
-hal_omx_server
} hal_codec2_hwservice:hwservice_manager add;
-
-# Only apps targetting < Q are allowed to open /dev/ashmem directly.
-# Apps must use ASharedMemory NDK API. Native code must use libcutils API.
-neverallow {
- domain
- -ephemeral_app # We don't distinguish ephemeral apps based on target API.
- -untrusted_app_25
- -untrusted_app_27
-} ashmem_device:chr_file open;
diff --git a/public/init.te b/public/init.te
index 06a33a6..3a59641 100644
--- a/public/init.te
+++ b/public/init.te
@@ -286,6 +286,7 @@
allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read setattr search };
allow init {
+ ashmem_device
binder_device
console_device
devpts