From 7db957253dc04d8451d7fc690e353dcec4c013cc Mon Sep 17 00:00:00 2001
From: Andreas Gampe <agampe@google.com>
Date: Thu, 4 May 2017 08:35:03 -0700
Subject: [PATCH] Sepolicy: Allow system server to exec zygote_exec

Under ASAN, allow system-server to execute app_process. This is
required for wrap-property execution.

Bug: 36138508
Test: m && SANITIZE_TARGET m
Change-Id: Ic637e5205ea86e0edcd66ab387e89b27afef6b99
---
 private/system_server.te | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/private/system_server.te b/private/system_server.te
index 208eb73e6..a1c4a1f3a 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -661,11 +661,12 @@ allow system_server sysfs_leds:dir r_dir_perms;
 allow system_server debugfs_tracing_instances:dir search;
 allow system_server debugfs_wifi_tracing:file rw_file_perms;
 
-# allow system_server to exec shell on ASAN builds. Needed to run
+# allow system_server to exec shell, asanwrapper & zygote(app_process) on ASAN builds. Needed to run
 # asanwrapper.
 with_asan(`
   allow system_server shell_exec:file rx_file_perms;
   allow system_server asanwrapper_exec:file rx_file_perms;
+  allow system_server zygote_exec:file rx_file_perms;
 ')
 
 ###
-- 
GitLab