diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil index e841832a3..4d3299706 100644 --- a/private/compat/28.0/28.0.ignore.cil +++ b/private/compat/28.0/28.0.ignore.cil @@ -123,6 +123,7 @@ su_tmpfs super_block_device sysfs_fs_f2fs + system_ashmem_hwservice system_bootstrap_lib_file system_event_log_tags_file system_lmk_prop diff --git a/private/hwservice_contexts b/private/hwservice_contexts index f3745a3a3..925920271 100644 --- a/private/hwservice_contexts +++ b/private/hwservice_contexts @@ -76,6 +76,7 @@ android.hidl.base::IBase u:object_r:hidl_ android.hidl.manager::IServiceManager u:object_r:hidl_manager_hwservice:s0 android.hidl.memory::IMapper u:object_r:hidl_memory_hwservice:s0 android.hidl.token::ITokenManager u:object_r:hidl_token_hwservice:s0 +android.system.ashmem::IAshmem u:object_r:system_ashmem_hwservice:s0 android.system.net.netd::INetd u:object_r:system_net_netd_hwservice:s0 android.system.suspend::ISystemSuspend u:object_r:system_suspend_hwservice:s0 android.system.wifi.keystore::IKeystore u:object_r:system_wifi_keystore_hwservice:s0 diff --git a/public/app.te b/public/app.te index 5c48e71f5..36dd5e36b 100644 --- a/public/app.te +++ b/public/app.te @@ -357,8 +357,8 @@ allow appdomain audioserver_tmpfs:file { getattr map read write }; allow appdomain system_server_tmpfs:file { getattr map read write }; allow appdomain zygote_tmpfs:file { map read }; -# Allow vendor apps access to ashmemd to request /dev/ashmem fds. -binder_call({ appdomain -coredomain }, ashmemd) +# Allow vendor apps access to ashmem_server to request /dev/ashmem fds. +binder_call({ appdomain -coredomain }, ashmem_server) ### ### Neverallow rules diff --git a/public/ashmem_server.te b/public/ashmem_server.te new file mode 100644 index 000000000..e36a987b2 --- /dev/null +++ b/public/ashmem_server.te @@ -0,0 +1,3 @@ +hwbinder_use(ashmem_server) +get_prop(ashmem_server, hwservicemanager_prop) +add_hwservice(ashmem_server, system_ashmem_hwservice) diff --git a/public/ashmemd.te b/public/ashmemd.te index 542f093be..9ead47720 100644 --- a/public/ashmemd.te +++ b/public/ashmemd.te @@ -1 +1,3 @@ -type ashmemd, domain; +# TODO(b/133869224): Make private once ashmemd +# is cleaned up from vendor sepolicy. +type ashmemd, domain, ashmem_server; diff --git a/public/attributes b/public/attributes index 67979dafb..d296a4696 100644 --- a/public/attributes +++ b/public/attributes @@ -303,6 +303,7 @@ hal_attribute(wifi_supplicant); # from one core domain to another, without having to update the vendor image # which contains clients of this service. +attribute ashmem_server; attribute camera_service_server; attribute display_service_server; attribute mediaswcodec_server; diff --git a/public/domain.te b/public/domain.te index c68f5abcf..061189202 100644 --- a/public/domain.te +++ b/public/domain.te @@ -75,7 +75,7 @@ allow { } ashmem_device:chr_file rw_file_perms; # Allow using fds to /dev/ashmem. -allow domain ashmemd:fd use; +allow domain ashmem_server:fd use; # /dev/binder can be accessed by non-vendor domains and by apps allow { diff --git a/public/hwservice.te b/public/hwservice.te index 7425878db..670b8b80f 100644 --- a/public/hwservice.te +++ b/public/hwservice.te @@ -65,6 +65,7 @@ type hidl_base_hwservice, hwservice_manager_type; type hidl_manager_hwservice, hwservice_manager_type, coredomain_hwservice; type hidl_memory_hwservice, hwservice_manager_type, coredomain_hwservice; type hidl_token_hwservice, hwservice_manager_type, coredomain_hwservice; +type system_ashmem_hwservice, hwservice_manager_type, coredomain_hwservice; type system_net_netd_hwservice, hwservice_manager_type, coredomain_hwservice; type system_suspend_hwservice, hwservice_manager_type, coredomain_hwservice; type system_wifi_keystore_hwservice, hwservice_manager_type, coredomain_hwservice; diff --git a/public/installd.te b/public/installd.te index 04922f5b8..cec3d915e 100644 --- a/public/installd.te +++ b/public/installd.te @@ -170,7 +170,7 @@ neverallow { domain -system_server -dumpstate -installd } installd_service:servi neverallow { domain -system_server -dumpstate } installd:binder call; neverallow installd { domain - -ashmemd + -ashmem_server -system_server -servicemanager userdebug_or_eng(`-su') diff --git a/public/vold.te b/public/vold.te index 2a278eb82..3a38ba539 100644 --- a/public/vold.te +++ b/public/vold.te @@ -302,7 +302,7 @@ neverallow { neverallow vold { domain - -ashmemd + -ashmem_server -hal_health_storage_server -hal_keymaster_server -system_suspend_server