Merge "Neverallow app open access to /dev/ashmem" am: 7eb9143e46 am: 897933a3ae

am: 131b3dabe2

Change-Id: I92dfad7c36f5d00fbac9347d75a9e3d1210d441f
This commit is contained in:
Tri Vo 2019-02-27 16:42:10 -08:00 committed by android-build-merger
commit c9b3c15a90
8 changed files with 19 additions and 15 deletions

View file

@ -335,15 +335,10 @@ neverallow all_untrusted_apps proc_tty_drivers:file ~r_file_perms;
# Untrusted apps are not allowed to use cgroups.
neverallow all_untrusted_apps cgroup:file *;
# TODO(b/113362644): remove open permission from these domains.
# Untrusted apps targetting >= Q are not allowed to open /dev/ashmem directly.
#neverallow {
# all_untrusted_apps
# TODO(b/113362644): route mediaprovider to ashmemd
# -mediaprovider
# -untrusted_app_25
# -untrusted_app_27
#} ashmem_device:chr_file open;
# In preparation to remove open permission, we audit open operations on
# /dev/ashmem.
auditallow all_untrusted_apps ashmem_device:chr_file open;
# They must use ASharedMemory NDK API instead.
neverallow {
all_untrusted_apps
-untrusted_app_25
-untrusted_app_27
} ashmem_device:chr_file open;

View file

@ -65,6 +65,8 @@ can_profile_heap(ephemeral_app)
allow ephemeral_app system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
allow ephemeral_app ashmem_device:chr_file { getattr read write ioctl };
###
### neverallow rules
###

View file

@ -64,6 +64,8 @@ unix_socket_connect(isolated_app, traced_producer, traced)
# debuggable.
can_profile_heap(isolated_app)
allow isolated_app ashmem_device:chr_file { getattr read write ioctl };
#####
##### Neverallow
#####

View file

@ -42,3 +42,5 @@ allowxperm mediaprovider functionfs:file ioctl FUNCTIONFS_ENDPOINT_DESC;
# MtpServer sets sys.usb.ffs.mtp.ready
set_prop(mediaprovider, ffs_prop)
set_prop(mediaprovider, exported_ffs_prop)
allow mediaprovider ashmem_device:chr_file { getattr read write ioctl };

View file

@ -60,3 +60,4 @@ userdebug_or_eng(`auditallow untrusted_app_25 dex2oat_exec:file rx_file_perms;')
# The ability to talk to /dev/ashmem directly. targetApi>=29 must use
# ASharedMemory instead.
allow untrusted_app_25 ashmem_device:chr_file rw_file_perms;
auditallow untrusted_app_25 ashmem_device:chr_file open;

View file

@ -40,3 +40,4 @@ userdebug_or_eng(`auditallow untrusted_app_27 dex2oat_exec:file rx_file_perms;')
# The ability to talk to /dev/ashmem directly. targetApi>=29 must use
# ASharedMemory instead.
allow untrusted_app_27 ashmem_device:chr_file rw_file_perms;
auditallow untrusted_app_27 ashmem_device:chr_file open;

View file

@ -188,3 +188,4 @@ userdebug_or_eng(`
# Allow access to ashmemd to request /dev/ashmem fds.
binder_call(untrusted_app_all, ashmemd)
allow untrusted_app_all ashmem_device:chr_file { getattr read write ioctl };

View file

@ -68,10 +68,10 @@ allow {
domain
# TODO(b/113362644): route coredomain to ashmemd
#-coredomain
# TODO(b/113362644): remove open permission from apps.
#-ephemeral_app
#-isolated_app
#-untrusted_app_all
-mediaprovider
-ephemeral_app
-isolated_app
-untrusted_app_all
} ashmem_device:chr_file rw_file_perms;
# Allow using fds to /dev/ashmem.