Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / b554a950f41452e2ad9d3b4d44aa0231a98e9a2e
commitb554a950f41452e2ad9d3b4d44aa0231a98e9a2e[log] [tgz]
authorTri Vo <trong@google.com>Tue Oct 15 22:27:28 2019 +0000
committerTri Vo <trong@google.com>Tue Oct 15 22:27:28 2019 +0000
treece085668b5a048fb123dcf8ad216f476b021e94f
parent5527d706c7a8d7038d3b5144e3e56d9c09e869fa [diff]
Reland "sepolicy: rework ashmem_device permissions"

Only allow apps targetting < Q and ephemeral apps to open /dev/ashmem.
Ephemeral apps are not distinguishable based on target API. So allow
ephemeral_app to open /dev/ashmem for compatibility reasons.

For sake of simplicity, allow all domains /dev/ashmem permissions other
than "open". Reason being that once we can remove "open" access
everywhere, we can remove the device altogether along with  other
permission.

Bug: 134434505
Test: boot crosshatch; browse internet, take picture;
no ashmem_device denials

Change-Id: Ie2464c23d799550722580a21b4f6f344983b43ba
6 files changed
tree: ce085668b5a048fb123dcf8ad216f476b021e94f
  1. apex/
  2. build/
  3. prebuilts/
  4. private/
  5. public/
  6. reqd_mask/
  7. tests/
  8. tools/
  9. vendor/
  10. .gitignore
  11. Android.bp
  12. Android.mk
  13. CleanSpec.mk
  14. compat.mk
  15. contexts_tests.mk
  16. definitions.mk
  17. mac_permissions.mk
  18. MODULE_LICENSE_PUBLIC_DOMAIN
  19. NOTICE
  20. OWNERS
  21. policy_version.mk
  22. PREUPLOAD.cfg
  23. README
  24. seapp_contexts.mk
  25. treble_sepolicy_tests_for_release.mk