From bd3e300a1309323e02c7144202acb48f40f11946 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Tue, 7 Aug 2018 13:44:20 -0700
Subject: [PATCH] Relax some neverallow rules

Kernels above 4.14 have a new mmap permission. However, neverallow rules
exclude the use of mmap, even when file FDs are passable across the
vendor/non-vendor boundary. Since we allow reading / writing of passed
file descriptors, also allow the use of mmap for passed file
descriptors.

Bug: 112171217
Test: policy compiles
Change-Id: I8176f86960bdff0cf5de770809510e9df5d62db9
---
 public/domain.te | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/public/domain.te b/public/domain.te
index 85b8ff204..a049094c0 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -819,7 +819,7 @@ full_treble_only(`
   } {
     data_file_type
     -core_data_file_type
-  }:file_class_set ~{ append getattr ioctl read write };
+  }:file_class_set ~{ append getattr ioctl read write map };
 ')
 full_treble_only(`
   neverallow {
@@ -851,7 +851,7 @@ full_treble_only(`
     # files in /data/misc/zoneinfo/tzdata file. These functions are considered
     # vndk-stable and thus must be allowed for all processes.
     -zoneinfo_data_file
-  }:file_class_set ~{ append getattr ioctl read write };
+  }:file_class_set ~{ append getattr ioctl read write map };
   neverallow {
     vendor_init
     -data_between_core_and_vendor_violators
@@ -859,7 +859,7 @@ full_treble_only(`
     core_data_file_type
     -unencrypted_data_file
     -zoneinfo_data_file
-  }:file_class_set ~{ append getattr ioctl read write };
+  }:file_class_set ~{ append getattr ioctl read write map };
   # vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
   # The vendor init binary lives on the system partition so there is not a concern with stability.
   neverallow vendor_init unencrypted_data_file:file ~r_file_perms;
@@ -925,7 +925,7 @@ full_treble_only(`
     -init
     } {
       vendor_data_file # default label for files on /data/vendor{,_ce,_de}.
-    }:file_class_set ~{ append getattr ioctl read write };
+    }:file_class_set ~{ append getattr ioctl read write map };
 ')
 
 # On TREBLE devices, a limited set of files in /vendor are accessible to
-- 
GitLab