Explicitly allow system_server to (m)map data files

Linux kernel 4.14+ SELinux starts explicit map permission check for file mmap operations. Add this permission to system_server for data file access, which is used in scenario such as "adb install" of APK's. test: no longer see SELinux map denial on "adb install" Change-Id: Id6016dd0b3f15dfdb0f02509ea812dee61ac78ed

Explicitly allow system_server to (m)map data files
Linux kernel 4.14+ SELinux starts explicit map permission check for file mmap operations. Add this permission to system_server for data file access, which is used in scenario such as "adb install" of APK's. test: no longer see SELinux map denial on "adb install" Change-Id: Id6016dd0b3f15dfdb0f02509ea812dee61ac78ed
383471c2 · David Ng · Benjamin Gordon · c8ed855e · 383471c2
Commit 383471c2 authored 6 years ago by David Ng Committed by Benjamin Gordon 6 years ago
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -481,7 +481,7 @@ allow system_server {
  shell_data_file
  app_data_file
  privapp_data_file
-}:file { getattr read write append };
+}:file { getattr read write append map };

 # Access to /data/media for measuring disk usage.
 allow system_server media_rw_data_file:dir { search getattr open read };