From 476855357b5ec9f59754cdb5aa0f0a6806b34049 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Wed, 27 Nov 2013 13:33:04 -0800
Subject: [PATCH] Allow write access to ashmem allocated regions

Allow tmpfs_domains the ability to write to ashmem allocated
regions. At least one Google internal app does this, and switching
untrusted_app into enforcing causes the following denial:

<5>[  291.791423] type=1400 audit(1385587240.320:79): avc:  denied  { write } for  pid=3774 comm="XXXXXXXXXXXX" path=2F6465762F6173686D656D202864656C6574656429 dev="tmpfs" ino=16937 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:untrusted_app_tmpfs:s0 tclass=file

path=/dev/ashmem (deleted)

Bug: 11891764
Change-Id: I64d414c055cd02481ebf69994fad65d777d8381d
---
 te_macros | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/te_macros b/te_macros
index c7c93aad8..7be9d5900 100644
--- a/te_macros
+++ b/te_macros
@@ -89,7 +89,7 @@ define(`tmpfs_domain', `
 type $1_tmpfs, file_type;
 type_transition $1 tmpfs:file $1_tmpfs;
 # Map with PROT_EXEC.
-allow $1 $1_tmpfs:file { read execute execmod };
+allow $1 $1_tmpfs:file { read write execute execmod };
 ')
 
 #####################################
-- 
GitLab