remove base system app ashmem execute

Signed-off-by: anupritaisno1 <[email protected]>

Author: renlord

prebuilts/api/30.0/private/ephemeral_app.te

@@ -67,6 +67,9 @@ allow ephemeral_app system_server:udp_socket {
 
 allow ephemeral_app ashmem_device:chr_file rw_file_perms;
 
+allow ephemeral_app { ashmem_device ashmem_libcutils_device }:chr_file execute;
+auditallow ephemeral_app { ashmem_device ashmem_libcutils_device }:chr_file execute;
+
 ###
 ### neverallow rules
 ###

prebuilts/api/30.0/private/isolated_app.te

@@ -70,6 +70,9 @@ perfetto_producer(isolated_app)
 can_profile_heap(isolated_app)
 can_profile_perf(isolated_app)
 
+allow isolated_app { ashmem_device ashmem_libcutils_device }:chr_file execute;
+auditallow isolated_app { ashmem_device ashmem_libcutils_device }:chr_file execute;
+
 #####
 ##### Neverallow
 #####

prebuilts/api/30.0/private/untrusted_app.te

@@ -24,3 +24,6 @@ auditallow untrusted_app self:process execmem;
 allow untrusted_app privapp_data_file:file { r_file_perms execute };
 allow untrusted_app app_data_file:file     { r_file_perms execute };
 auditallow untrusted_app app_data_file:file execute;
+
+allow untrusted_app { ashmem_device ashmem_libcutils_device }:chr_file execute;
+auditallow untrusted_app { ashmem_device ashmem_libcutils_device }:chr_file execute;

prebuilts/api/30.0/private/untrusted_app_25.te

@@ -61,3 +61,6 @@ allow untrusted_app_25 mnt_sdcard_file:lnk_file r_file_perms;
 
 # allow binding to netlink route sockets and sending RTM_GETLINK messages.
 allow untrusted_app_25 self:netlink_route_socket { bind nlmsg_readpriv };
+
+allow untrusted_app_25 { ashmem_device ashmem_libcutils_device }:chr_file execute;
+auditallow untrusted_app_25 { ashmem_device ashmem_libcutils_device }:chr_file execute;

prebuilts/api/30.0/private/untrusted_app_27.te

@@ -49,3 +49,6 @@ allow untrusted_app_27 mnt_sdcard_file:lnk_file r_file_perms;
 
 # allow binding to netlink route sockets and sending RTM_GETLINK messages.
 allow untrusted_app_27 self:netlink_route_socket { bind nlmsg_readpriv };
+
+allow untrusted_app_27 { ashmem_device ashmem_libcutils_device }:chr_file execute;
+auditallow untrusted_app_27 { ashmem_device ashmem_libcutils_device }:chr_file execute;

prebuilts/api/30.0/private/untrusted_app_29.te

@@ -27,3 +27,6 @@ auditallow untrusted_app_29 app_data_file:file execute;
 
 # allow binding to netlink route sockets and sending RTM_GETLINK messages.
 allow untrusted_app_29 self:netlink_route_socket { bind nlmsg_readpriv };
+
+allow untrusted_app_29 { ashmem_device ashmem_libcutils_device }:chr_file execute;
+auditallow untrusted_app_29 { ashmem_device ashmem_libcutils_device }:chr_file execute;

prebuilts/api/30.0/public/app.te

@@ -8,9 +8,6 @@
 ###
 type appdomain_tmpfs, file_type;
 
-allow appdomain { ashmem_device ashmem_libcutils_device }:chr_file execute;
-auditallow appdomain { ashmem_device ashmem_libcutils_device }:chr_file execute;
-
 # Receive and use open file descriptors inherited from zygote.
 allow appdomain zygote:fd use;
 

private/ephemeral_app.te

@@ -67,6 +67,9 @@ allow ephemeral_app system_server:udp_socket {
 
 allow ephemeral_app ashmem_device:chr_file rw_file_perms;
 
+allow ephemeral_app { ashmem_device ashmem_libcutils_device }:chr_file execute;
+auditallow ephemeral_app { ashmem_device ashmem_libcutils_device }:chr_file execute;
+
 ###
 ### neverallow rules
 ###

private/isolated_app.te

@@ -70,6 +70,9 @@ perfetto_producer(isolated_app)
 can_profile_heap(isolated_app)
 can_profile_perf(isolated_app)
 
+allow isolated_app { ashmem_device ashmem_libcutils_device }:chr_file execute;
+auditallow isolated_app { ashmem_device ashmem_libcutils_device }:chr_file execute;
+
 #####
 ##### Neverallow
 #####

private/untrusted_app.te

@@ -24,3 +24,6 @@ auditallow untrusted_app self:process execmem;
 allow untrusted_app privapp_data_file:file { r_file_perms execute };
 allow untrusted_app app_data_file:file     { r_file_perms execute };
 auditallow untrusted_app app_data_file:file execute;
+
+allow untrusted_app { ashmem_device ashmem_libcutils_device }:chr_file execute;
+auditallow untrusted_app { ashmem_device ashmem_libcutils_device }:chr_file execute;

private/untrusted_app_25.te

@@ -61,3 +61,6 @@ allow untrusted_app_25 mnt_sdcard_file:lnk_file r_file_perms;
 
 # allow binding to netlink route sockets and sending RTM_GETLINK messages.
 allow untrusted_app_25 self:netlink_route_socket { bind nlmsg_readpriv };
+
+allow untrusted_app_25 { ashmem_device ashmem_libcutils_device }:chr_file execute;
+auditallow untrusted_app_25 { ashmem_device ashmem_libcutils_device }:chr_file execute;

private/untrusted_app_27.te

@@ -49,3 +49,6 @@ allow untrusted_app_27 mnt_sdcard_file:lnk_file r_file_perms;
 
 # allow binding to netlink route sockets and sending RTM_GETLINK messages.
 allow untrusted_app_27 self:netlink_route_socket { bind nlmsg_readpriv };
+
+allow untrusted_app_27 { ashmem_device ashmem_libcutils_device }:chr_file execute;
+auditallow untrusted_app_27 { ashmem_device ashmem_libcutils_device }:chr_file execute;

private/untrusted_app_29.te

@@ -27,3 +27,6 @@ auditallow untrusted_app_29 app_data_file:file execute;
 
 # allow binding to netlink route sockets and sending RTM_GETLINK messages.
 allow untrusted_app_29 self:netlink_route_socket { bind nlmsg_readpriv };
+
+allow untrusted_app_29 { ashmem_device ashmem_libcutils_device }:chr_file execute;
+auditallow untrusted_app_29 { ashmem_device ashmem_libcutils_device }:chr_file execute;

public/app.te

@@ -8,9 +8,6 @@
 ###
 type appdomain_tmpfs, file_type;
 
-allow appdomain { ashmem_device ashmem_libcutils_device }:chr_file execute;
-auditallow appdomain { ashmem_device ashmem_libcutils_device }:chr_file execute;
-
 # Receive and use open file descriptors inherited from zygote.
 allow appdomain zygote:fd use;