Neverallow app open access to /dev/ashmem Apps are no longer allowed open access to /dev/ashmem, unless they target API level < Q. Bug: 113362644 Test: device boots, Chrome, instant apps work Change-Id: I1cff08f26159fbf48a42afa7cfa08eafa1936f42

commit: 8b12ff5f218139102d8eec90c91b114078be4402 [log] [tgz]
author: Tri Vo <trong@google.com> Tue Feb 12 14:14:30 2019 -0800
committer: Tri Vo <trong@google.com> Wed Feb 27 21:17:25 2019 +0000
tree: 4e008eccf5ec5795d4c426132ec9b3741e26b3eb
parent: 1c8b376f81f9dd3cce68cf28939e0078b1ab63aa [diff] [blame]
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 38a5651..17f4111 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te

@@ -335,15 +335,10 @@
 # Untrusted apps are not allowed to use cgroups.
 neverallow all_untrusted_apps cgroup:file *;
 
-# TODO(b/113362644): remove open permission from these domains.
 # Untrusted apps targetting >= Q are not allowed to open /dev/ashmem directly.
-#neverallow {
-#  all_untrusted_apps
-# TODO(b/113362644): route mediaprovider to ashmemd
-#  -mediaprovider
-#  -untrusted_app_25
-#  -untrusted_app_27
-#} ashmem_device:chr_file open;
-# In preparation to remove open permission, we audit open operations on
-# /dev/ashmem.
-auditallow all_untrusted_apps ashmem_device:chr_file open;
+# They must use ASharedMemory NDK API instead.
+neverallow {
+  all_untrusted_apps
+  -untrusted_app_25
+  -untrusted_app_27
+} ashmem_device:chr_file open;
commit	8b12ff5f218139102d8eec90c91b114078be4402	[log] [tgz]
author	Tri Vo <trong@google.com>	Tue Feb 12 14:14:30 2019 -0800
committer	Tri Vo <trong@google.com>	Wed Feb 27 21:17:25 2019 +0000
tree	4e008eccf5ec5795d4c426132ec9b3741e26b3eb
parent	1c8b376f81f9dd3cce68cf28939e0078b1ab63aa [diff] [blame]