ashmem: expand app access
We are only interested in removing "open" access from apps, so leave
apps with (rw_file_perms - open) permissions to /dev/ashmem
Bug: 126627315
Test: emulator boots without denials to /dev/ashmem
Change-Id: I7f03fad5e4e82aebd1b6272e4956b16f86043637
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 0c89d09..a94c637 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -65,7 +65,7 @@
allow ephemeral_app system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
-allow ephemeral_app ashmem_device:chr_file { getattr read write ioctl };
+allow ephemeral_app ashmem_device:chr_file { getattr read ioctl lock map append write };
###
### neverallow rules
diff --git a/private/isolated_app.te b/private/isolated_app.te
index f51ccc9..b7c812b 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -64,7 +64,7 @@
# debuggable.
can_profile_heap(isolated_app)
-allow isolated_app ashmem_device:chr_file { getattr read write ioctl };
+allow isolated_app ashmem_device:chr_file { getattr read ioctl lock map append write };
#####
##### Neverallow
diff --git a/private/mediaprovider.te b/private/mediaprovider.te
index aa1d1e2..30d3fe0 100644
--- a/private/mediaprovider.te
+++ b/private/mediaprovider.te
@@ -43,4 +43,4 @@
set_prop(mediaprovider, ffs_prop)
set_prop(mediaprovider, exported_ffs_prop)
-allow mediaprovider ashmem_device:chr_file { getattr read write ioctl };
+allow mediaprovider ashmem_device:chr_file { getattr read ioctl lock map append write };
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index d06e56a..3c20c08 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -188,4 +188,4 @@
# Allow access to ashmemd to request /dev/ashmem fds.
binder_call(untrusted_app_all, ashmemd)
-allow untrusted_app_all ashmem_device:chr_file { getattr read write ioctl };
+allow untrusted_app_all ashmem_device:chr_file { getattr read ioctl lock map append write };