remove base system app ashmem execute

Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
GrapheneOS · Oct 17, 2020 · 279b176 · 279b176
1 parent e5e242e
commit 279b176
Show file tree

Hide file tree

Showing 10 changed files with 22 additions and 8 deletions.
diff --git a/prebuilts/api/30.0/private/ephemeral_app.te b/prebuilts/api/30.0/private/ephemeral_app.te
@@ -65,7 +65,8 @@ can_profile_perf(ephemeral_app)
 allow ephemeral_app system_server:udp_socket {
         connect getattr read recvfrom sendto write getopt setopt };
 
-allow ephemeral_app ashmem_device:chr_file rw_file_perms;
+allow ephemeral_app ashmem_device:chr_file { rw_file_perms execute };
+auditallow ephemeral_app ashmem_device:chr_file execute;
 
 ###
 ### neverallow rules

diff --git a/prebuilts/api/30.0/private/isolated_app.te b/prebuilts/api/30.0/private/isolated_app.te
@@ -70,6 +70,9 @@ perfetto_producer(isolated_app)
 can_profile_heap(isolated_app)
 can_profile_perf(isolated_app)
 
+allow isolated_app { ashmem_device ashmem_libcutils_device }:chr_file execute;
+auditallow isolated_app { ashmem_device ashmem_libcutils_device }:chr_file execute;
+
 #####
 ##### Neverallow
 #####

diff --git a/prebuilts/api/30.0/private/untrusted_app.te b/prebuilts/api/30.0/private/untrusted_app.te
@@ -24,3 +24,6 @@ auditallow untrusted_app self:process execmem;
 allow untrusted_app privapp_data_file:file { r_file_perms execute };
 allow untrusted_app app_data_file:file     { r_file_perms execute };
 auditallow untrusted_app app_data_file:file execute;
+
+allow untrusted_app { ashmem_device ashmem_libcutils_device }:chr_file execute;
+auditallow untrusted_app { ashmem_device ashmem_libcutils_device }:chr_file execute;
diff --git a/prebuilts/api/30.0/private/untrusted_app_29.te b/prebuilts/api/30.0/private/untrusted_app_29.te
@@ -27,3 +27,6 @@ auditallow untrusted_app_29 app_data_file:file execute;
 
 # allow binding to netlink route sockets and sending RTM_GETLINK messages.
 allow untrusted_app_29 self:netlink_route_socket { bind nlmsg_readpriv };
+
+allow untrusted_app_29 { ashmem_device ashmem_libcutils_device }:chr_file execute;
+auditallow untrusted_app_29 { ashmem_device ashmem_libcutils_device }:chr_file execute;
diff --git a/prebuilts/api/30.0/public/app.te b/prebuilts/api/30.0/public/app.te
@@ -8,9 +8,6 @@
 ###
 type appdomain_tmpfs, file_type;
 
-allow appdomain { ashmem_device ashmem_libcutils_device }:chr_file execute;
-auditallow appdomain { ashmem_device ashmem_libcutils_device }:chr_file execute;
-
 # Receive and use open file descriptors inherited from zygote.
 allow appdomain zygote:fd use;
 

diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
@@ -65,7 +65,8 @@ can_profile_perf(ephemeral_app)
 allow ephemeral_app system_server:udp_socket {
         connect getattr read recvfrom sendto write getopt setopt };
 
-allow ephemeral_app ashmem_device:chr_file rw_file_perms;
+allow ephemeral_app ashmem_device:chr_file { rw_file_perms execute };
+auditallow ephemeral_app ashmem_device:chr_file execute;
 
 ###
 ### neverallow rules

diff --git a/private/isolated_app.te b/private/isolated_app.te
@@ -70,6 +70,9 @@ perfetto_producer(isolated_app)
 can_profile_heap(isolated_app)
 can_profile_perf(isolated_app)
 
+allow isolated_app { ashmem_device ashmem_libcutils_device }:chr_file execute;
+auditallow isolated_app { ashmem_device ashmem_libcutils_device }:chr_file execute;
+
 #####
 ##### Neverallow
 #####

diff --git a/private/untrusted_app.te b/private/untrusted_app.te
@@ -24,3 +24,6 @@ auditallow untrusted_app self:process execmem;
 allow untrusted_app privapp_data_file:file { r_file_perms execute };
 allow untrusted_app app_data_file:file     { r_file_perms execute };
 auditallow untrusted_app app_data_file:file execute;
+
+allow untrusted_app { ashmem_device ashmem_libcutils_device }:chr_file execute;
+auditallow untrusted_app { ashmem_device ashmem_libcutils_device }:chr_file execute;
diff --git a/private/untrusted_app_29.te b/private/untrusted_app_29.te
@@ -27,3 +27,6 @@ auditallow untrusted_app_29 app_data_file:file execute;
 
 # allow binding to netlink route sockets and sending RTM_GETLINK messages.
 allow untrusted_app_29 self:netlink_route_socket { bind nlmsg_readpriv };
+
+allow untrusted_app_29 { ashmem_device ashmem_libcutils_device }:chr_file execute;
+auditallow untrusted_app_29 { ashmem_device ashmem_libcutils_device }:chr_file execute;
diff --git a/public/app.te b/public/app.te
@@ -8,9 +8,6 @@
 ###
 type appdomain_tmpfs, file_type;
 
-allow appdomain { ashmem_device ashmem_libcutils_device }:chr_file execute;
-auditallow appdomain { ashmem_device ashmem_libcutils_device }:chr_file execute;
-
 # Receive and use open file descriptors inherited from zygote.
 allow appdomain zygote:fd use;