From a7f61021b798cd7b35f81b12340d9ba216808c0b Mon Sep 17 00:00:00 2001
From: Tri Vo <trong@google.com>
Date: Tue, 24 Sep 2019 14:43:00 -0700
Subject: [PATCH] sepolicy: ashmem entry point for libcutils

This duplicated ashmem device is intended to replace ashmemd.

Ashmem fd has a label of the domain that opens it. Now with ashmemd
removed, ashmem fds can have labels other than "ashmemd", e.g.
"system_server". We add missing permissions to make ashmem fds usable.

Bug: 139855428
Test: boot device
Change-Id: Iec8352567f1e4f171f76db1272935eee59156954
---
 private/compat/29.0/29.0.ignore.cil | 1 +
 private/file_contexts               | 1 +
 public/device.te                    | 1 +
 public/domain.te                    | 3 +++
 vendor/hal_sensors_default.te       | 3 +++
 5 files changed, 9 insertions(+)

diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 84eff8993..425708704 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -5,6 +5,7 @@
 (typeattribute new_objects)
 (typeattributeset new_objects
   ( new_objects
+    ashmem_libcutils_device
     boringssl_self_test
     charger_prop
     cold_boot_done_prop
diff --git a/private/file_contexts b/private/file_contexts
index 1e9549ccd..b1b100ea4 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -75,6 +75,7 @@
 /dev/adf-interface[0-9]*\.[0-9]*	u:object_r:graphics_device:s0
 /dev/adf-overlay-engine[0-9]*\.[0-9]*	u:object_r:graphics_device:s0
 /dev/ashmem		u:object_r:ashmem_device:s0
+/dev/ashmem(.*)?	u:object_r:ashmem_libcutils_device:s0
 /dev/audio.*		u:object_r:audio_device:s0
 /dev/binder		u:object_r:binder_device:s0
 /dev/block(/.*)?	u:object_r:block_device:s0
diff --git a/public/device.te b/public/device.te
index e20a68bd0..fad0f610d 100644
--- a/public/device.te
+++ b/public/device.te
@@ -1,6 +1,7 @@
 # Device types
 type device, dev_type, fs_type;
 type ashmem_device, dev_type, mlstrustedobject;
+type ashmem_libcutils_device, dev_type, mlstrustedobject;
 type audio_device, dev_type;
 type binder_device, dev_type, mlstrustedobject;
 type hwbinder_device, dev_type, mlstrustedobject;
diff --git a/public/domain.te b/public/domain.te
index 28fd39e91..8af30866c 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -80,6 +80,9 @@ allow {
   -untrusted_app_all
 } ashmem_device:chr_file rw_file_perms;
 
+# This device is used by libcutils.
+allow domain ashmem_libcutils_device:chr_file rw_file_perms;
+
 # Allow using fds to /dev/ashmem.
 allow domain ashmem_server:fd use;
 
diff --git a/vendor/hal_sensors_default.te b/vendor/hal_sensors_default.te
index 172e6864a..f00b25a54 100644
--- a/vendor/hal_sensors_default.te
+++ b/vendor/hal_sensors_default.te
@@ -17,3 +17,6 @@ allow hal_sensors_default ion_device:chr_file r_file_perms;
 # allow sensor hal to use lock for keeping system awake for wake up
 # events delivery.
 wakelock_use(hal_sensors_default);
+
+# allow sensor hal to use ashmem fd from system_server.
+allow hal_sensors_default system_server:fd use;