From 9f3f3784504e466973d5bbf1ce72e3f12dcc9c17 Mon Sep 17 00:00:00 2001
From: John Stultz <john.stultz@linaro.org>
Date: Tue, 22 Aug 2017 22:10:33 -0700
Subject: [PATCH] sepolicy: Define and allow map permission for vendor dir

This patch tries to provide similar functionality as the previous
change made here:
https://android-review.googlesource.com/#/c/platform/system/sepolicy/+/432339/

Only, making sure we add the same map permissions for the vendor
directory.

Signed-off-by: John Stultz <john.stultz@linaro.org>

(cherry picked from commit 24537b2e9607dbc7aaf3687a9d6031cc811c06f0)

Bug: 65011018
Test: policy compiles.
Change-Id: I4d0319011ef4ef043134bf299dc4823a6c418717
---
 public/domain.te | 8 ++++----
 public/te_macros | 4 ++--
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/public/domain.te b/public/domain.te
index e550485ee..9ddc372df 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -106,7 +106,7 @@ allow domain system_file:lnk_file { getattr read };
 # devices
 not_full_treble(`
     allow domain vendor_file_type:dir { search getattr };
-    allow domain vendor_file_type:file { execute read open getattr };
+    allow domain vendor_file_type:file { execute read open getattr map };
     allow domain vendor_file_type:lnk_file { getattr read };
 ')
 
@@ -117,12 +117,12 @@ allow domain vendor_hal_file:dir r_dir_perms;
 
 # Everyone can read and execute all same process HALs
 allow domain same_process_hal_file:dir r_dir_perms;
-allow domain same_process_hal_file:file { execute read open getattr };
+allow domain same_process_hal_file:file { execute read open getattr map };
 
 # Any process can load vndk-sp libraries, which are system libraries
 # used by same process HALs
 allow domain vndk_sp_file:dir r_dir_perms;
-allow domain vndk_sp_file:file { execute read open getattr };
+allow domain vndk_sp_file:file { execute read open getattr map };
 
 # All domains get access to /vendor/etc
 allow domain vendor_configs_file:dir r_dir_perms;
@@ -139,7 +139,7 @@ full_treble_only(`
 
     # Allow reading and executing out of /vendor to all vendor domains
     allow { domain -coredomain } vendor_file_type:dir r_dir_perms;
-    allow { domain -coredomain } vendor_file_type:file { read open getattr execute };
+    allow { domain -coredomain } vendor_file_type:file { read open getattr execute map };
     allow { domain -coredomain } vendor_file_type:lnk_file { getattr read };
 ')
 
diff --git a/public/te_macros b/public/te_macros
index c7802d5a7..e8c667d41 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -234,7 +234,7 @@ typeattribute $1 $2;
 # Find passthrough HAL implementations
 allow $2 system_file:dir r_dir_perms;
 allow $2 vendor_file:dir r_dir_perms;
-allow $2 vendor_file:file { read open getattr execute };
+allow $2 vendor_file:file { read open getattr execute map };
 ')
 ')
 
@@ -253,7 +253,7 @@ typeattribute $1 $2;
 # Find passthrough HAL implementations
 allow $2 system_file:dir r_dir_perms;
 allow $2 vendor_file:dir r_dir_perms;
-allow $2 vendor_file:file { read open getattr execute };
+allow $2 vendor_file:file { read open getattr execute map };
 ')
 
 #####################################
-- 
GitLab