audit apps opening /dev/ashmem Bug: 113362644 Test: boot device Test: use Chrome app, no audit logs Change-Id: I6c78c7ac258a4ea90d501a152b5c9e7851afcf08

commit: 877fe9dea6f00b3b725c4ba7720cb89661dc9020 [log] [tgz]
author: Tri Vo <trong@google.com> Tue Feb 05 18:08:57 2019 -0800
committer: Tri Vo <trong@google.com> Thu Feb 21 11:43:20 2019 -0800
tree: 093c9177efed1cde8a44aa0dce96268ed37843b3
parent: ba1be2c4bbaef4616bbd3e04bd76e6d2c935d4e5 [diff]
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index e46c4ef..38a5651 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te

@@ -344,3 +344,6 @@
 #  -untrusted_app_25
 #  -untrusted_app_27
 #} ashmem_device:chr_file open;
+# In preparation to remove open permission, we audit open operations on
+# /dev/ashmem.
+auditallow all_untrusted_apps ashmem_device:chr_file open;

diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index c1cd6c7..24e42d3 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te

@@ -187,6 +187,3 @@
 
 # Allow access to ashmemd to request /dev/ashmem fds.
 binder_call(untrusted_app_all, ashmemd)
-
-# TODO(b/113362644): audit apps directly using /dev/ashmem and emit error
-# message with info on how to fix that.
commit	877fe9dea6f00b3b725c4ba7720cb89661dc9020	[log] [tgz]
author	Tri Vo <trong@google.com>	Tue Feb 05 18:08:57 2019 -0800
committer	Tri Vo <trong@google.com>	Thu Feb 21 11:43:20 2019 -0800
tree	093c9177efed1cde8a44aa0dce96268ed37843b3
parent	ba1be2c4bbaef4616bbd3e04bd76e6d2c935d4e5 [diff]