Neverallow app open access to /dev/ashmem
Apps are no longer allowed open access to /dev/ashmem, unless they
target API level < Q.
Bug: 113362644
Test: device boots, Chrome, instant apps work
Change-Id: I1cff08f26159fbf48a42afa7cfa08eafa1936f42
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 38a5651..17f4111 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -335,15 +335,10 @@
# Untrusted apps are not allowed to use cgroups.
neverallow all_untrusted_apps cgroup:file *;
-# TODO(b/113362644): remove open permission from these domains.
# Untrusted apps targetting >= Q are not allowed to open /dev/ashmem directly.
-#neverallow {
-# all_untrusted_apps
-# TODO(b/113362644): route mediaprovider to ashmemd
-# -mediaprovider
-# -untrusted_app_25
-# -untrusted_app_27
-#} ashmem_device:chr_file open;
-# In preparation to remove open permission, we audit open operations on
-# /dev/ashmem.
-auditallow all_untrusted_apps ashmem_device:chr_file open;
+# They must use ASharedMemory NDK API instead.
+neverallow {
+ all_untrusted_apps
+ -untrusted_app_25
+ -untrusted_app_27
+} ashmem_device:chr_file open;
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 05f41db..0c89d09 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -65,6 +65,8 @@
allow ephemeral_app system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
+allow ephemeral_app ashmem_device:chr_file { getattr read write ioctl };
+
###
### neverallow rules
###
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 8a0f96b..f51ccc9 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -64,6 +64,8 @@
# debuggable.
can_profile_heap(isolated_app)
+allow isolated_app ashmem_device:chr_file { getattr read write ioctl };
+
#####
##### Neverallow
#####
diff --git a/private/mediaprovider.te b/private/mediaprovider.te
index 249fee1..aa1d1e2 100644
--- a/private/mediaprovider.te
+++ b/private/mediaprovider.te
@@ -42,3 +42,5 @@
# MtpServer sets sys.usb.ffs.mtp.ready
set_prop(mediaprovider, ffs_prop)
set_prop(mediaprovider, exported_ffs_prop)
+
+allow mediaprovider ashmem_device:chr_file { getattr read write ioctl };
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 5e669c7..96ae0e8 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -60,3 +60,4 @@
# The ability to talk to /dev/ashmem directly. targetApi>=29 must use
# ASharedMemory instead.
allow untrusted_app_25 ashmem_device:chr_file rw_file_perms;
+auditallow untrusted_app_25 ashmem_device:chr_file open;
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index 7427b68..f9cd460 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -40,3 +40,4 @@
# The ability to talk to /dev/ashmem directly. targetApi>=29 must use
# ASharedMemory instead.
allow untrusted_app_27 ashmem_device:chr_file rw_file_perms;
+auditallow untrusted_app_27 ashmem_device:chr_file open;
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index eab10db..d06e56a 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -188,3 +188,4 @@
# Allow access to ashmemd to request /dev/ashmem fds.
binder_call(untrusted_app_all, ashmemd)
+allow untrusted_app_all ashmem_device:chr_file { getattr read write ioctl };