sepolicy: Allow apps to read ashmem fds from system_server (0161c3a2) · Commits · CodeLinaro / public-release-test / platform / system / sepolicy · GitLab

Snippets Groups Projects

Commit 0161c3a2 authored 6 years ago by Benjamin Gordon Committed by Sravanthi Palakonda 5 years ago

sepolicy: Allow apps to read ashmem fds from system_server

Kernel commit 8a2af06415ef0fc922162503dd18da0d9be7771f (ashmem: switch
to ->read_iter) switched ashmem from using __vfs_read to vfs_iter_read
to read the backing shmem file.  Prior to this, reading from an ashmem
fd that was passed between processes didn't hit any permission checks;
now SELinux checks that the receiver can read from the creator's file
context.

Some apps receive buffers through ashmem from system_server, e.g., the
settings app reads battery stats from system_server through ashmem when
an app details page is opened.  Restore this ability by giving apps read
access to system_server_tmpfs.  system_server is still responsible for
creating and passing across the ashmem buffers, so this doesn't give
apps the ability to read anything system_server isn't willing to give
them.

Bug: 112987536
Bug: 111381531
Test: atest android.appsecurity.cts.PermissionsHostTest on kernel 4.14
(cherry picked from 360559e7)

(cherry picked from commit 7e799f995abfb2dd2cb8708db3b0042b73476ef3)

CRs-Fixed:2491460

Change-Id: Ice5e25f55bc409e91ad7e8c7ea8b28ae213191a3

parent a57e0922

No related branches found

No related tags found

Hide whitespace changes

Inline Side-by-side

Showing with 8 additions and 0 deletions

Ghost User @ghost
mentioned in commit e932ef95
· 2 years ago

mentioned in commit e932ef95

mentioned in commit e932ef95bccfbc816e2509530c37113dc756514d

Toggle commit list

Please register or to comment