From 8b12ff5f218139102d8eec90c91b114078be4402 Mon Sep 17 00:00:00 2001 From: Tri Vo Date: Tue, 12 Feb 2019 14:14:30 -0800 Subject: [PATCH] Neverallow app open access to /dev/ashmem Apps are no longer allowed open access to /dev/ashmem, unless they target API level < Q. Bug: 113362644 Test: device boots, Chrome, instant apps work Change-Id: I1cff08f26159fbf48a42afa7cfa08eafa1936f42 --- private/app_neverallows.te | 17 ++++++----------- private/ephemeral_app.te | 2 ++ private/isolated_app.te | 2 ++ private/mediaprovider.te | 2 ++ private/untrusted_app_25.te | 1 + private/untrusted_app_27.te | 1 + private/untrusted_app_all.te | 1 + public/domain.te | 8 ++++---- 8 files changed, 19 insertions(+), 15 deletions(-) diff --git a/private/app_neverallows.te b/private/app_neverallows.te index 38a565150..17f411123 100644 --- a/private/app_neverallows.te +++ b/private/app_neverallows.te @@ -335,15 +335,10 @@ neverallow all_untrusted_apps proc_tty_drivers:file ~r_file_perms; # Untrusted apps are not allowed to use cgroups. neverallow all_untrusted_apps cgroup:file *; -# TODO(b/113362644): remove open permission from these domains. # Untrusted apps targetting >= Q are not allowed to open /dev/ashmem directly. -#neverallow { -# all_untrusted_apps -# TODO(b/113362644): route mediaprovider to ashmemd -# -mediaprovider -# -untrusted_app_25 -# -untrusted_app_27 -#} ashmem_device:chr_file open; -# In preparation to remove open permission, we audit open operations on -# /dev/ashmem. -auditallow all_untrusted_apps ashmem_device:chr_file open; +# They must use ASharedMemory NDK API instead. +neverallow { + all_untrusted_apps + -untrusted_app_25 + -untrusted_app_27 +} ashmem_device:chr_file open; diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te index 05f41db68..0c89d09a4 100644 --- a/private/ephemeral_app.te +++ b/private/ephemeral_app.te @@ -65,6 +65,8 @@ can_profile_heap(ephemeral_app) allow ephemeral_app system_server:udp_socket { connect getattr read recvfrom sendto write getopt setopt }; +allow ephemeral_app ashmem_device:chr_file { getattr read write ioctl }; + ### ### neverallow rules ### diff --git a/private/isolated_app.te b/private/isolated_app.te index 8a0f96b55..f51ccc948 100644 --- a/private/isolated_app.te +++ b/private/isolated_app.te @@ -64,6 +64,8 @@ unix_socket_connect(isolated_app, traced_producer, traced) # debuggable. can_profile_heap(isolated_app) +allow isolated_app ashmem_device:chr_file { getattr read write ioctl }; + ##### ##### Neverallow ##### diff --git a/private/mediaprovider.te b/private/mediaprovider.te index 249fee179..aa1d1e281 100644 --- a/private/mediaprovider.te +++ b/private/mediaprovider.te @@ -42,3 +42,5 @@ allowxperm mediaprovider functionfs:file ioctl FUNCTIONFS_ENDPOINT_DESC; # MtpServer sets sys.usb.ffs.mtp.ready set_prop(mediaprovider, ffs_prop) set_prop(mediaprovider, exported_ffs_prop) + +allow mediaprovider ashmem_device:chr_file { getattr read write ioctl }; diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te index 5e669c7da..96ae0e802 100644 --- a/private/untrusted_app_25.te +++ b/private/untrusted_app_25.te @@ -60,3 +60,4 @@ userdebug_or_eng(`auditallow untrusted_app_25 dex2oat_exec:file rx_file_perms;') # The ability to talk to /dev/ashmem directly. targetApi>=29 must use # ASharedMemory instead. allow untrusted_app_25 ashmem_device:chr_file rw_file_perms; +auditallow untrusted_app_25 ashmem_device:chr_file open; diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te index 7427b6885..f9cd460df 100644 --- a/private/untrusted_app_27.te +++ b/private/untrusted_app_27.te @@ -40,3 +40,4 @@ userdebug_or_eng(`auditallow untrusted_app_27 dex2oat_exec:file rx_file_perms;') # The ability to talk to /dev/ashmem directly. targetApi>=29 must use # ASharedMemory instead. allow untrusted_app_27 ashmem_device:chr_file rw_file_perms; +auditallow untrusted_app_27 ashmem_device:chr_file open; diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te index eab10dbac..d06e56ae0 100644 --- a/private/untrusted_app_all.te +++ b/private/untrusted_app_all.te @@ -188,3 +188,4 @@ userdebug_or_eng(` # Allow access to ashmemd to request /dev/ashmem fds. binder_call(untrusted_app_all, ashmemd) +allow untrusted_app_all ashmem_device:chr_file { getattr read write ioctl }; diff --git a/public/domain.te b/public/domain.te index e363c1fa4..554afe0bf 100644 --- a/public/domain.te +++ b/public/domain.te @@ -68,10 +68,10 @@ allow { domain # TODO(b/113362644): route coredomain to ashmemd #-coredomain - # TODO(b/113362644): remove open permission from apps. - #-ephemeral_app - #-isolated_app - #-untrusted_app_all + -mediaprovider + -ephemeral_app + -isolated_app + -untrusted_app_all } ashmem_device:chr_file rw_file_perms; # Allow using fds to /dev/ashmem.