ashmem: expand app access

We are only interested in removing "open" access from apps, so leave
apps with (rw_file_perms - open) permissions to /dev/ashmem

Bug: 126627315
Test: emulator boots without denials to /dev/ashmem
Change-Id: I7f03fad5e4e82aebd1b6272e4956b16f86043637
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 0c89d09..a94c637 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -65,7 +65,7 @@
 allow ephemeral_app system_server:udp_socket {
         connect getattr read recvfrom sendto write getopt setopt };
 
-allow ephemeral_app ashmem_device:chr_file { getattr read write ioctl };
+allow ephemeral_app ashmem_device:chr_file { getattr read ioctl lock map append write };
 
 ###
 ### neverallow rules
diff --git a/private/isolated_app.te b/private/isolated_app.te
index f51ccc9..b7c812b 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -64,7 +64,7 @@
 # debuggable.
 can_profile_heap(isolated_app)
 
-allow isolated_app ashmem_device:chr_file { getattr read write ioctl };
+allow isolated_app ashmem_device:chr_file { getattr read ioctl lock map append write };
 
 #####
 ##### Neverallow
diff --git a/private/mediaprovider.te b/private/mediaprovider.te
index aa1d1e2..30d3fe0 100644
--- a/private/mediaprovider.te
+++ b/private/mediaprovider.te
@@ -43,4 +43,4 @@
 set_prop(mediaprovider, ffs_prop)
 set_prop(mediaprovider, exported_ffs_prop)
 
-allow mediaprovider ashmem_device:chr_file { getattr read write ioctl };
+allow mediaprovider ashmem_device:chr_file { getattr read ioctl lock map append write };
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index d06e56a..3c20c08 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -188,4 +188,4 @@
 
 # Allow access to ashmemd to request /dev/ashmem fds.
 binder_call(untrusted_app_all, ashmemd)
-allow untrusted_app_all ashmem_device:chr_file { getattr read write ioctl };
+allow untrusted_app_all ashmem_device:chr_file { getattr read ioctl lock map append write };