From 383471c267b6792f1625f8f771d8e0c0b9090300 Mon Sep 17 00:00:00 2001
From: David Ng <dave@codeaurora.org>
Date: Wed, 11 Apr 2018 10:43:57 -0700
Subject: [PATCH] Explicitly allow system_server to (m)map data files

Linux kernel 4.14+ SELinux starts explicit map
permission check for file mmap operations.  Add this
permission to system_server for data file access,
which is used in scenario such as "adb install" of
APK's.

test: no longer see SELinux map denial on "adb install"
Change-Id: Id6016dd0b3f15dfdb0f02509ea812dee61ac78ed
---
 private/system_server.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/private/system_server.te b/private/system_server.te
index bbd031b49..d1e09be0b 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -481,7 +481,7 @@ allow system_server {
   shell_data_file
   app_data_file
   privapp_data_file
-}:file { getattr read write append };
+}:file { getattr read write append map };
 
 # Access to /data/media for measuring disk usage.
 allow system_server media_rw_data_file:dir { search getattr open read };
-- 
GitLab