sepolicy for ashmemd

all_untrusted_apps apart from untrusted_app_{25, 27} and mediaprovider
are now expected to go to ashmemd for /dev/ashmem fds.

Give coredomain access to ashmemd, because ashmemd is the default way
for coredomain to get a /dev/ashmem fd.

Bug: 113362644
Test: device boots, ashmemd running
Test: Chrome app works
Test: "lsof /system/lib64/libashmemd_client.so" shows
libashmemd_client.so being loaded into apps.
Change-Id: I279448c3104c5d08a1fefe31730488924ce1b37a

private/app_neverallows.te

@@ -334,3 +334,13 @@ neverallow all_untrusted_apps proc_tty_drivers:file ~r_file_perms;
 
 # Untrusted apps are not allowed to use cgroups.
 neverallow all_untrusted_apps cgroup:file *;
+
+# TODO(b/113362644): remove open permission from these domains.
+# Untrusted apps targetting >= Q are not allowed to open /dev/ashmem directly.
+#neverallow {
+#  all_untrusted_apps
+# TODO(b/113362644): route mediaprovider to ashmemd
+#  -mediaprovider
+#  -untrusted_app_25
+#  -untrusted_app_27
+#} ashmem_device:chr_file open;

private/app_zygote.te

@@ -100,6 +100,7 @@ neverallow app_zygote {
 neverallow app_zygote {
     service_manager_type
     -activity_service
+    -ashmem_device_service
     -webviewupdate_service
 }:service_manager find;
 

private/ashmemd.te

@@ -0,0 +1,9 @@
+typeattribute ashmemd coredomain;
+type ashmemd_exec, exec_type, file_type, system_file_type;
+
+init_daemon_domain(ashmemd)
+
+binder_use(ashmemd)
+add_service(ashmemd, ashmem_device_service)
+
+allow ashmemd ashmem_device:chr_file rw_file_perms;

private/compat/28.0/28.0.ignore.cil

@@ -20,6 +20,8 @@
     app_prediction_service
     app_zygote
     app_zygote_tmpfs
+    ashmemd
+    ashmem_device_service
     biometric_service
     bpf_progs_loaded_prop
     bugreport_service

private/coredomain.te

@@ -188,3 +188,18 @@ neverallow coredomain {
 full_treble_only(`
   neverallow coredomain tee_device:chr_file { open read append write ioctl };
 ')
+
+# Allow access to ashmemd to request /dev/ashmem fds.
+allow {
+  coredomain
+  -init
+  -iorapd
+  -perfprofd
+} ashmem_device_service:service_manager find;
+
+binder_call({
+  coredomain
+  -init
+  -iorapd
+  -perfprofd
+}, ashmemd)

private/file_contexts

@@ -186,6 +186,7 @@
 /system(/.*)?		u:object_r:system_file:s0
 /system/lib(64)?(/.*)?		u:object_r:system_lib_file:s0
 /system/bin/atrace	u:object_r:atrace_exec:s0
+/system/bin/ashmemd	u:object_r:ashmemd_exec:s0
 /system/bin/bcc                 u:object_r:rs_exec:s0
 /system/bin/blank_screen	u:object_r:blank_screen_exec:s0
 /system/bin/e2fsdroid		u:object_r:e2fs_exec:s0

private/hal_allocator_default.te

@@ -3,3 +3,6 @@ hal_server_domain(hal_allocator_default, hal_allocator)
 
 type hal_allocator_default_exec, system_file_type, exec_type, file_type;
 init_daemon_domain(hal_allocator_default)
+
+# To talk to ashmemd
+binder_use(hal_allocator_default)

private/isolated_app.te

@@ -90,10 +90,12 @@ neverallow isolated_app *:service_manager ~find;
 
 # b/17487348
 # Isolated apps can only access three services,
-# activity_service, display_service and webviewupdate_service.
+# activity_service, display_service, webviewupdate_service, and
+# ashmem_device_service.
 neverallow isolated_app {
     service_manager_type
     -activity_service
+    -ashmem_device_service
     -display_service
     -webviewupdate_service
 }:service_manager find;

private/service.te

@@ -1,3 +1,4 @@
+type ashmem_device_service,         app_api_service, service_manager_type;
 type dynamic_android_service,       system_api_service, system_server_service, service_manager_type;
 type gsi_service,                   service_manager_type;
 type incidentcompanion_service,     system_api_service, system_server_service, service_manager_type;

private/service_contexts

@@ -10,6 +10,7 @@ android.service.gatekeeper.IGateKeeperService    u:object_r:gatekeeper_service:s
 app_binding                               u:object_r:app_binding_service:s0
 app_prediction                            u:object_r:app_prediction_service:s0
 apexservice                               u:object_r:apex_service:s0
+ashmem_device_service                     u:object_r:ashmem_device_service:s0
 gsiservice                                u:object_r:gsi_service:s0
 appops                                    u:object_r:appops_service:s0
 appwidget                                 u:object_r:appwidget_service:s0

private/untrusted_app_25.te

@@ -56,3 +56,7 @@ auditallow untrusted_app_25 app_data_file:file { execute execute_no_trans };
 # allowed for targetApi<=28 for compat reasons.
 allow untrusted_app_25 dex2oat_exec:file rx_file_perms;
 userdebug_or_eng(`auditallow untrusted_app_25 dex2oat_exec:file rx_file_perms;')
+
+# The ability to talk to /dev/ashmem directly. targetApi>=29 must use
+# ASharedMemory instead.
+allow untrusted_app_25 ashmem_device:chr_file rw_file_perms;

private/untrusted_app_27.te

@@ -36,3 +36,7 @@ auditallow untrusted_app_27 app_data_file:file { execute execute_no_trans };
 # allowed for targetApi<=28 for compat reasons.
 allow untrusted_app_27 dex2oat_exec:file rx_file_perms;
 userdebug_or_eng(`auditallow untrusted_app_27 dex2oat_exec:file rx_file_perms;')
+
+# The ability to talk to /dev/ashmem directly. targetApi>=29 must use
+# ASharedMemory instead.
+allow untrusted_app_27 ashmem_device:chr_file rw_file_perms;

private/untrusted_app_all.te

@@ -176,3 +176,9 @@ userdebug_or_eng(`
   allow untrusted_app_all debugfs_kcov:file rw_file_perms;
   allowxperm untrusted_app_all debugfs_kcov:file ioctl { KCOV_INIT_TRACE KCOV_ENABLE KCOV_DISABLE };
 ')
+
+# Allow access to ashmemd to request /dev/ashmem fds.
+binder_call(untrusted_app_all, ashmemd)
+
+# TODO(b/113362644): audit apps directly using /dev/ashmem and emit error
+# message with info on how to fix that.

private/webview_zygote.te

@@ -111,6 +111,7 @@ neverallow webview_zygote {
 neverallow webview_zygote {
     service_manager_type
     -activity_service
+    -ashmem_device_service
     -webviewupdate_service
 }:service_manager find;
 

public/app.te

@@ -357,6 +357,8 @@ allow appdomain audioserver_tmpfs:file { getattr map read write };
 allow appdomain system_server_tmpfs:file { getattr map read write };
 allow appdomain zygote_tmpfs:file { map read };
 
+# Allow vendor apps access to ashmemd to request /dev/ashmem fds.
+binder_call({ appdomain -coredomain }, ashmemd)
 
 ###
 ### Neverallow rules

public/ashmemd.te

@@ -0,0 +1 @@
+type ashmemd, domain;

public/domain.te

@@ -64,7 +64,19 @@ allow domain socket_device:dir r_dir_perms;
 allow domain owntty_device:chr_file rw_file_perms;
 allow domain null_device:chr_file rw_file_perms;
 allow domain zero_device:chr_file rw_file_perms;
-allow domain ashmem_device:chr_file rw_file_perms;
+allow {
+  domain
+  # TODO(b/113362644): route coredomain to ashmemd
+  #-coredomain
+  -ephemeral_app
+  # TODO(b/113362644): remove open permission from these domains.
+  #-isolated_app
+  #-untrusted_app_all
+} ashmem_device:chr_file rw_file_perms;
+
+# Allow using fds to /dev/ashmem.
+allow domain ashmemd:fd use;
+
 # /dev/binder can be accessed by non-vendor domains and by apps
 allow {
   coredomain

public/installd.te

@@ -166,4 +166,10 @@ allow installd preloads_media_file:dir { r_dir_perms write remove_name rmdir };
 # only system_server, installd and dumpstate may interact with installd over binder
 neverallow { domain -system_server -dumpstate -installd } installd_service:service_manager find;
 neverallow { domain -system_server -dumpstate } installd:binder call;
-neverallow installd { domain -system_server -servicemanager userdebug_or_eng(`-su') }:binder call;
+neverallow installd {
+    domain
+    -ashmemd
+    -system_server
+    -servicemanager
+    userdebug_or_eng(`-su')
+}:binder call;

public/vold.te

@@ -285,6 +285,7 @@ neverallow { domain -vold -init } restorecon_prop:property_service set;
 neverallow { domain -system_server -vdc -vold } vold_service:service_manager find;
 neverallow vold {
   domain
+  -ashmemd
   -hal_health_storage_server
   -hal_keymaster_server
   -hal_system_suspend_server