Merge "Neverallow app open access to /dev/ashmem"

private/app_neverallows.te

@@ -335,15 +335,10 @@ neverallow all_untrusted_apps proc_tty_drivers:file ~r_file_perms;
 # Untrusted apps are not allowed to use cgroups.
 neverallow all_untrusted_apps cgroup:file *;
 
-# TODO(b/113362644): remove open permission from these domains.
 # Untrusted apps targetting >= Q are not allowed to open /dev/ashmem directly.
-#neverallow {
-#  all_untrusted_apps
-# TODO(b/113362644): route mediaprovider to ashmemd
-#  -mediaprovider
-#  -untrusted_app_25
-#  -untrusted_app_27
-#} ashmem_device:chr_file open;
-# In preparation to remove open permission, we audit open operations on
-# /dev/ashmem.
-auditallow all_untrusted_apps ashmem_device:chr_file open;
+# They must use ASharedMemory NDK API instead.
+neverallow {
+  all_untrusted_apps
+  -untrusted_app_25
+  -untrusted_app_27
+} ashmem_device:chr_file open;

private/ephemeral_app.te

@@ -65,6 +65,8 @@ can_profile_heap(ephemeral_app)
 allow ephemeral_app system_server:udp_socket {
         connect getattr read recvfrom sendto write getopt setopt };
 
+allow ephemeral_app ashmem_device:chr_file { getattr read write ioctl };
+
 ###
 ### neverallow rules
 ###

private/isolated_app.te

@@ -64,6 +64,8 @@ unix_socket_connect(isolated_app, traced_producer, traced)
 # debuggable.
 can_profile_heap(isolated_app)
 
+allow isolated_app ashmem_device:chr_file { getattr read write ioctl };
+
 #####
 ##### Neverallow
 #####

private/mediaprovider.te

@@ -42,3 +42,5 @@ allowxperm mediaprovider functionfs:file ioctl FUNCTIONFS_ENDPOINT_DESC;
 # MtpServer sets sys.usb.ffs.mtp.ready
 set_prop(mediaprovider, ffs_prop)
 set_prop(mediaprovider, exported_ffs_prop)
+
+allow mediaprovider ashmem_device:chr_file { getattr read write ioctl };

private/untrusted_app_25.te

@@ -60,3 +60,4 @@ userdebug_or_eng(`auditallow untrusted_app_25 dex2oat_exec:file rx_file_perms;')
 # The ability to talk to /dev/ashmem directly. targetApi>=29 must use
 # ASharedMemory instead.
 allow untrusted_app_25 ashmem_device:chr_file rw_file_perms;
+auditallow untrusted_app_25 ashmem_device:chr_file open;

private/untrusted_app_27.te

@@ -40,3 +40,4 @@ userdebug_or_eng(`auditallow untrusted_app_27 dex2oat_exec:file rx_file_perms;')
 # The ability to talk to /dev/ashmem directly. targetApi>=29 must use
 # ASharedMemory instead.
 allow untrusted_app_27 ashmem_device:chr_file rw_file_perms;
+auditallow untrusted_app_27 ashmem_device:chr_file open;

private/untrusted_app_all.te

@@ -188,3 +188,4 @@ userdebug_or_eng(`
 
 # Allow access to ashmemd to request /dev/ashmem fds.
 binder_call(untrusted_app_all, ashmemd)
+allow untrusted_app_all ashmem_device:chr_file { getattr read write ioctl };

public/domain.te

@@ -68,10 +68,10 @@ allow {
   domain
   # TODO(b/113362644): route coredomain to ashmemd
   #-coredomain
-  # TODO(b/113362644): remove open permission from apps.
-  #-ephemeral_app
-  #-isolated_app
-  #-untrusted_app_all
+  -mediaprovider
+  -ephemeral_app
+  -isolated_app
+  -untrusted_app_all
 } ashmem_device:chr_file rw_file_perms;
 
 # Allow using fds to /dev/ashmem.