From 24537b2e9607dbc7aaf3687a9d6031cc811c06f0 Mon Sep 17 00:00:00 2001
From: John Stultz <john.stultz@linaro.org>
Date: Tue, 22 Aug 2017 22:10:33 -0700
Subject: [PATCH] sepolicy: Define and allow map permission for vendor dir

This patch tries to provide similar functionality as the previous
change made here:
https://android-review.googlesource.com/#/c/platform/system/sepolicy/+/432339/

Only, making sure we add the same map permissions for the vendor
directory.

Change-Id: Ia965df2881cdee8bb5d81278a1eb740def582871
Signed-off-by: John Stultz <john.stultz@linaro.org>
---
 public/domain.te | 8 ++++----
 public/te_macros | 4 ++--
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/public/domain.te b/public/domain.te
index 8ea0bb841..7e1d6c280 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -106,7 +106,7 @@ allow domain system_file:lnk_file { getattr read };
 # devices
 not_full_treble(`
     allow domain vendor_file_type:dir { search getattr };
-    allow domain vendor_file_type:file { execute read open getattr };
+    allow domain vendor_file_type:file { execute read open getattr map };
     allow domain vendor_file_type:lnk_file { getattr read };
 ')
 
@@ -117,12 +117,12 @@ allow domain vendor_hal_file:dir r_dir_perms;
 
 # Everyone can read and execute all same process HALs
 allow domain same_process_hal_file:dir r_dir_perms;
-allow domain same_process_hal_file:file { execute read open getattr };
+allow domain same_process_hal_file:file { execute read open getattr map };
 
 # Any process can load vndk-sp libraries, which are system libraries
 # used by same process HALs
 allow domain vndk_sp_file:dir r_dir_perms;
-allow domain vndk_sp_file:file { execute read open getattr };
+allow domain vndk_sp_file:file { execute read open getattr map };
 
 # All domains get access to /vendor/etc
 allow domain vendor_configs_file:dir r_dir_perms;
@@ -139,7 +139,7 @@ full_treble_only(`
 
     # Allow reading and executing out of /vendor to all vendor domains
     allow { domain -coredomain } vendor_file_type:dir r_dir_perms;
-    allow { domain -coredomain } vendor_file_type:file { read open getattr execute };
+    allow { domain -coredomain } vendor_file_type:file { read open getattr execute map };
     allow { domain -coredomain } vendor_file_type:lnk_file { getattr read };
 ')
 
diff --git a/public/te_macros b/public/te_macros
index 6b41400b1..e1f0644e0 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -232,7 +232,7 @@ typeattribute $1 $2;
 # Find passthrough HAL implementations
 allow $2 system_file:dir r_dir_perms;
 allow $2 vendor_file:dir r_dir_perms;
-allow $2 vendor_file:file { read open getattr execute };
+allow $2 vendor_file:file { read open getattr execute map };
 ')
 ')
 
@@ -251,7 +251,7 @@ typeattribute $1 $2;
 # Find passthrough HAL implementations
 allow $2 system_file:dir r_dir_perms;
 allow $2 vendor_file:dir r_dir_perms;
-allow $2 vendor_file:file { read open getattr execute };
+allow $2 vendor_file:file { read open getattr execute map };
 ')
 
 #####################################
-- 
GitLab