sepolicy for ashmemd
all_untrusted_apps apart from untrusted_app_{25, 27} and mediaprovider
are now expected to go to ashmemd for /dev/ashmem fds.
Give coredomain access to ashmemd, because ashmemd is the default way
for coredomain to get a /dev/ashmem fd.
Bug: 113362644
Test: device boots, ashmemd running
Test: Chrome app works
Test: "lsof /system/lib64/libashmemd_client.so" shows
libashmemd_client.so being loaded into apps.
Change-Id: I279448c3104c5d08a1fefe31730488924ce1b37a
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 4ecb355..e46c4ef 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -334,3 +334,13 @@
# Untrusted apps are not allowed to use cgroups.
neverallow all_untrusted_apps cgroup:file *;
+
+# TODO(b/113362644): remove open permission from these domains.
+# Untrusted apps targetting >= Q are not allowed to open /dev/ashmem directly.
+#neverallow {
+# all_untrusted_apps
+# TODO(b/113362644): route mediaprovider to ashmemd
+# -mediaprovider
+# -untrusted_app_25
+# -untrusted_app_27
+#} ashmem_device:chr_file open;
diff --git a/private/app_zygote.te b/private/app_zygote.te
index aa5be4c..e221666 100644
--- a/private/app_zygote.te
+++ b/private/app_zygote.te
@@ -100,6 +100,7 @@
neverallow app_zygote {
service_manager_type
-activity_service
+ -ashmem_device_service
-webviewupdate_service
}:service_manager find;
diff --git a/private/ashmemd.te b/private/ashmemd.te
new file mode 100644
index 0000000..08df515
--- /dev/null
+++ b/private/ashmemd.te
@@ -0,0 +1,9 @@
+typeattribute ashmemd coredomain;
+type ashmemd_exec, exec_type, file_type, system_file_type;
+
+init_daemon_domain(ashmemd)
+
+binder_use(ashmemd)
+add_service(ashmemd, ashmem_device_service)
+
+allow ashmemd ashmem_device:chr_file rw_file_perms;
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 6154e3c..c989825 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -20,6 +20,8 @@
app_prediction_service
app_zygote
app_zygote_tmpfs
+ ashmemd
+ ashmem_device_service
biometric_service
bpf_progs_loaded_prop
bugreport_service
diff --git a/private/coredomain.te b/private/coredomain.te
index 9899d02..ebad8e7 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -188,3 +188,18 @@
full_treble_only(`
neverallow coredomain tee_device:chr_file { open read append write ioctl };
')
+
+# Allow access to ashmemd to request /dev/ashmem fds.
+allow {
+ coredomain
+ -init
+ -iorapd
+ -perfprofd
+} ashmem_device_service:service_manager find;
+
+binder_call({
+ coredomain
+ -init
+ -iorapd
+ -perfprofd
+}, ashmemd)
diff --git a/private/file_contexts b/private/file_contexts
index b793e82..0c37525 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -186,6 +186,7 @@
/system(/.*)? u:object_r:system_file:s0
/system/lib(64)?(/.*)? u:object_r:system_lib_file:s0
/system/bin/atrace u:object_r:atrace_exec:s0
+/system/bin/ashmemd u:object_r:ashmemd_exec:s0
/system/bin/bcc u:object_r:rs_exec:s0
/system/bin/blank_screen u:object_r:blank_screen_exec:s0
/system/bin/e2fsdroid u:object_r:e2fs_exec:s0
diff --git a/private/hal_allocator_default.te b/private/hal_allocator_default.te
index 7aa28aa..9dbe923 100644
--- a/private/hal_allocator_default.te
+++ b/private/hal_allocator_default.te
@@ -3,3 +3,6 @@
type hal_allocator_default_exec, system_file_type, exec_type, file_type;
init_daemon_domain(hal_allocator_default)
+
+# To talk to ashmemd
+binder_use(hal_allocator_default)
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 017f46b..8a0f96b 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -90,10 +90,12 @@
# b/17487348
# Isolated apps can only access three services,
-# activity_service, display_service and webviewupdate_service.
+# activity_service, display_service, webviewupdate_service, and
+# ashmem_device_service.
neverallow isolated_app {
service_manager_type
-activity_service
+ -ashmem_device_service
-display_service
-webviewupdate_service
}:service_manager find;
diff --git a/private/service.te b/private/service.te
index 89664e4..1bec3ce 100644
--- a/private/service.te
+++ b/private/service.te
@@ -1,3 +1,4 @@
+type ashmem_device_service, app_api_service, service_manager_type;
type dynamic_android_service, system_api_service, system_server_service, service_manager_type;
type gsi_service, service_manager_type;
type incidentcompanion_service, system_api_service, system_server_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index 650b62e..1462033 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -10,6 +10,7 @@
app_binding u:object_r:app_binding_service:s0
app_prediction u:object_r:app_prediction_service:s0
apexservice u:object_r:apex_service:s0
+ashmem_device_service u:object_r:ashmem_device_service:s0
gsiservice u:object_r:gsi_service:s0
appops u:object_r:appops_service:s0
appwidget u:object_r:appwidget_service:s0
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 7cccbac..5e669c7 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -56,3 +56,7 @@
# allowed for targetApi<=28 for compat reasons.
allow untrusted_app_25 dex2oat_exec:file rx_file_perms;
userdebug_or_eng(`auditallow untrusted_app_25 dex2oat_exec:file rx_file_perms;')
+
+# The ability to talk to /dev/ashmem directly. targetApi>=29 must use
+# ASharedMemory instead.
+allow untrusted_app_25 ashmem_device:chr_file rw_file_perms;
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index 0c9c684..7427b68 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -36,3 +36,7 @@
# allowed for targetApi<=28 for compat reasons.
allow untrusted_app_27 dex2oat_exec:file rx_file_perms;
userdebug_or_eng(`auditallow untrusted_app_27 dex2oat_exec:file rx_file_perms;')
+
+# The ability to talk to /dev/ashmem directly. targetApi>=29 must use
+# ASharedMemory instead.
+allow untrusted_app_27 ashmem_device:chr_file rw_file_perms;
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 2c44627..2d07ecd 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -176,3 +176,9 @@
allow untrusted_app_all debugfs_kcov:file rw_file_perms;
allowxperm untrusted_app_all debugfs_kcov:file ioctl { KCOV_INIT_TRACE KCOV_ENABLE KCOV_DISABLE };
')
+
+# Allow access to ashmemd to request /dev/ashmem fds.
+binder_call(untrusted_app_all, ashmemd)
+
+# TODO(b/113362644): audit apps directly using /dev/ashmem and emit error
+# message with info on how to fix that.
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index f9deff0..95affef 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -111,6 +111,7 @@
neverallow webview_zygote {
service_manager_type
-activity_service
+ -ashmem_device_service
-webviewupdate_service
}:service_manager find;