From 00252207f878f63aaa5219bcd4aa35a7aac9fb91 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Wed, 31 Oct 2018 12:47:27 -0700
Subject: [PATCH] isolated_app: add mmaps

Kernel commit 3ba4bf5f1e2c ("selinux: add a map permission check for mmap")
added a map permission check on mmap so that we can
distinguish memory mapped access (since it has different implications
for revocation). system/sepolicy commit
4397f08288890ef397697b4d6dbff596bdca14c8 introduced the permission to
Android and updated common macros. Since then, we've been adding more
mmap support where it was accidentally omitted.

Add the ability for isolated_apps to mmap() app data files. There's no
reason why this should be blocked. Also fixup sdcard access which has
similar problems.

Bug: 118760652
Bug: https://crbug.com/892014
Test: policy compiles.
Change-Id: I3823f313103c9dcedf3b21d081a22f8fbb271c02
---
 private/isolated_app.te | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/private/isolated_app.te b/private/isolated_app.te
index 85e80a5fa..a17f22a4c 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -11,7 +11,7 @@ typeattribute isolated_app coredomain;
 app_domain(isolated_app)
 
 # Access already open app data files received over Binder or local socket IPC.
-allow isolated_app { app_data_file privapp_data_file }:file { append read write getattr lock };
+allow isolated_app { app_data_file privapp_data_file }:file { append read write getattr lock map };
 
 allow isolated_app activity_service:service_manager find;
 allow isolated_app display_service:service_manager find;
@@ -29,7 +29,7 @@ allow isolated_app self:process ptrace;
 # neverallow rules below.
 # media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs
 # is modified to change the secontext when accessing the lower filesystem.
-allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock };
+allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock map };
 
 # For webviews, isolated_app processes can be forked from the webview_zygote
 # in addition to the zygote. Allow access to resources inherited from the
@@ -102,7 +102,7 @@ neverallow isolated_app cache_file:file ~{ read getattr };
 neverallow isolated_app { storage_file mnt_user_file sdcard_type }:dir ~getattr;
 neverallow isolated_app { storage_file mnt_user_file }:file_class_set *;
 neverallow isolated_app sdcard_type:{ devfile_class_set lnk_file sock_file fifo_file } *;
-neverallow isolated_app sdcard_type:file ~{ read write append getattr lock };
+neverallow isolated_app sdcard_type:file ~{ read write append getattr lock map };
 
 # Do not allow USB access
 neverallow isolated_app { usb_device usbaccessory_device }:chr_file *;
-- 
GitLab