Neverallow app open access to /dev/ashmem

Apps are no longer allowed open access to /dev/ashmem, unless they target API level < Q. Bug: 113362644 Test: device boots, Chrome, instant apps work Change-Id: I1cff08f26159fbf48a42afa7cfa08eafa1936f42
2019-02-12 14:14:30 -08:00 · 2019-02-12 14:14:30 -08:00 · 8b12ff5f21
commit 8b12ff5f21
parent 1c8b376f81
8 changed files with 19 additions and 15 deletions
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@ -335,15 +335,10 @@ neverallow all_untrusted_apps proc_tty_drivers:file ~r_file_perms;
 # Untrusted apps are not allowed to use cgroups.
 neverallow all_untrusted_apps cgroup:file *;

-# TODO(b/113362644): remove open permission from these domains.
 # Untrusted apps targetting >= Q are not allowed to open /dev/ashmem directly.
-#neverallow {
-#  all_untrusted_apps
-# TODO(b/113362644): route mediaprovider to ashmemd
-#  -mediaprovider
-#  -untrusted_app_25
-#  -untrusted_app_27
-#} ashmem_device:chr_file open;
-# In preparation to remove open permission, we audit open operations on
-# /dev/ashmem.
-auditallow all_untrusted_apps ashmem_device:chr_file open;
+# They must use ASharedMemory NDK API instead.
+neverallow {
+  all_untrusted_apps
+  -untrusted_app_25
+  -untrusted_app_27
+} ashmem_device:chr_file open;
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@ -65,6 +65,8 @@ can_profile_heap(ephemeral_app)
 allow ephemeral_app system_server:udp_socket {
        connect getattr read recvfrom sendto write getopt setopt };

+allow ephemeral_app ashmem_device:chr_file { getattr read write ioctl };
+
 ###
 ### neverallow rules
 ###
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@ -64,6 +64,8 @@ unix_socket_connect(isolated_app, traced_producer, traced)
 # debuggable.
 can_profile_heap(isolated_app)

+allow isolated_app ashmem_device:chr_file { getattr read write ioctl };
+
 #####
 ##### Neverallow
 #####
--- a/private/mediaprovider.te
+++ b/private/mediaprovider.te
@ -42,3 +42,5 @@ allowxperm mediaprovider functionfs:file ioctl FUNCTIONFS_ENDPOINT_DESC;
 # MtpServer sets sys.usb.ffs.mtp.ready
 set_prop(mediaprovider, ffs_prop)
 set_prop(mediaprovider, exported_ffs_prop)
+
+allow mediaprovider ashmem_device:chr_file { getattr read write ioctl };
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@ -60,3 +60,4 @@ userdebug_or_eng(`auditallow untrusted_app_25 dex2oat_exec:file rx_file_perms;')
 # The ability to talk to /dev/ashmem directly. targetApi>=29 must use
 # ASharedMemory instead.
 allow untrusted_app_25 ashmem_device:chr_file rw_file_perms;
+auditallow untrusted_app_25 ashmem_device:chr_file open;
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@ -40,3 +40,4 @@ userdebug_or_eng(`auditallow untrusted_app_27 dex2oat_exec:file rx_file_perms;')
 # The ability to talk to /dev/ashmem directly. targetApi>=29 must use
 # ASharedMemory instead.
 allow untrusted_app_27 ashmem_device:chr_file rw_file_perms;
+auditallow untrusted_app_27 ashmem_device:chr_file open;
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@ -188,3 +188,4 @@ userdebug_or_eng(`

 # Allow access to ashmemd to request /dev/ashmem fds.
 binder_call(untrusted_app_all, ashmemd)
+allow untrusted_app_all ashmem_device:chr_file { getattr read write ioctl };
--- a/public/domain.te
+++ b/public/domain.te
@ -68,10 +68,10 @@ allow {
  domain
  # TODO(b/113362644): route coredomain to ashmemd
  #-coredomain
-  # TODO(b/113362644): remove open permission from apps.
-  #-ephemeral_app
-  #-isolated_app
-  #-untrusted_app_all
+  -mediaprovider
+  -ephemeral_app
+  -isolated_app
+  -untrusted_app_all
 } ashmem_device:chr_file rw_file_perms;

 # Allow using fds to /dev/ashmem.