From 99ceb07ec16436c2c806dc975518d7081d9dd5f5 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Mon, 30 Jul 2018 18:52:46 -0700
Subject: [PATCH] Allow mmap for vendor_init

vendor_init needs to touch a bunch of files. Forgotten within this set
of permissions is the ability to mmap files.

Addresses the following denial:

  avc:  denied  { map } for  pid=1167 comm="init" path="/system/etc/selinux/plat_file_contexts" dev="vda1" ino=1845 scontext=u:r:vendor_init:s0 tcontext=u:object_r:file_contexts_file:s0 tclass=file permissive=0

While I'm here, add mmap() support to other areas where it's likely
needed.

Bug: 111742629
Test: make -j80, ran emulator
Change-Id: Icab00e45ae88f0d86be66d85a22e018af6ffcd75
---
 public/vendor_init.te | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/public/vendor_init.te b/public/vendor_init.te
index 9b537c10f..941303c4a 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -57,7 +57,7 @@ allow vendor_init {
   -unlabeled
   -vendor_file_type
   -vold_metadata_file
-}:file { create getattr open read write setattr relabelfrom unlink };
+}:file { create getattr open read write setattr relabelfrom unlink map };
 
 allow vendor_init {
   file_type
@@ -104,7 +104,7 @@ allow vendor_init {
   -proc_uid_time_in_state
   -proc_uid_concurrent_active_time
   -proc_uid_concurrent_policy_time
-}:file { open read setattr };
+}:file { open read setattr map };
 
 allow vendor_init {
   fs_type
@@ -146,7 +146,7 @@ allow vendor_init self:process { setfscreate };
 r_dir_file(vendor_init, vendor_file_type)
 
 # Vendor init can read properties
-allow vendor_init serialno_prop:file { getattr open read };
+allow vendor_init serialno_prop:file { getattr open read map };
 
 # Vendor init can perform operations on trusted and security Extended Attributes
 allow vendor_init self:global_capability_class_set sys_admin;
-- 
GitLab