Merge "ashmem: expand app access"

2019-02-28 22:00:50 +00:00 · 2019-02-28 22:00:50 +00:00 · e8cb09db42
commit e8cb09db42
parent 412cc87475 9fbc87c89f
4 changed files with 4 additions and 4 deletions
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@ -65,7 +65,7 @@ can_profile_heap(ephemeral_app)
 allow ephemeral_app system_server:udp_socket {
        connect getattr read recvfrom sendto write getopt setopt };

-allow ephemeral_app ashmem_device:chr_file { getattr read write ioctl };
+allow ephemeral_app ashmem_device:chr_file { getattr read ioctl lock map append write };

 ###
 ### neverallow rules
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@ -64,7 +64,7 @@ unix_socket_connect(isolated_app, traced_producer, traced)
 # debuggable.
 can_profile_heap(isolated_app)

-allow isolated_app ashmem_device:chr_file { getattr read write ioctl };
+allow isolated_app ashmem_device:chr_file { getattr read ioctl lock map append write };

 #####
 ##### Neverallow
--- a/private/mediaprovider.te
+++ b/private/mediaprovider.te
@ -43,4 +43,4 @@ allowxperm mediaprovider functionfs:file ioctl FUNCTIONFS_ENDPOINT_DESC;
 set_prop(mediaprovider, ffs_prop)
 set_prop(mediaprovider, exported_ffs_prop)

-allow mediaprovider ashmem_device:chr_file { getattr read write ioctl };
+allow mediaprovider ashmem_device:chr_file { getattr read ioctl lock map append write };
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@ -188,4 +188,4 @@ userdebug_or_eng(`

 # Allow access to ashmemd to request /dev/ashmem fds.
 binder_call(untrusted_app_all, ashmemd)
-allow untrusted_app_all ashmem_device:chr_file { getattr read write ioctl };
+allow untrusted_app_all ashmem_device:chr_file { getattr read ioctl lock map append write };