From bedfb22ab9e246783cfedee6d5f1170dd589f3e7 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Mon, 13 Aug 2018 10:31:58 -0700
Subject: [PATCH] more mmaps

Linux kernel 4.14+ SELinux starts explicit map
permission check for file mmap operations. For backards
compat, add mmap in more places where we explicitly
list out individual file permissions.

Test: policy compiles
Change-Id: Idc4ca53769f2e7aa12ed93ab27191ed92da37a3e
---
 public/app.te       | 14 +++++++-------
 public/dex2oat.te   | 14 +++++++-------
 public/drmserver.te | 12 ++++++------
 public/init.te      |  2 +-
 public/te_macros    |  4 ++--
 5 files changed, 23 insertions(+), 23 deletions(-)

diff --git a/public/app.te b/public/app.te
index 12a9b81c5..3de24fbab 100644
--- a/public/app.te
+++ b/public/app.te
@@ -124,16 +124,16 @@ allow appdomain vendor_public_lib_file:file { execute read open getattr map };
 allow appdomain dex2oat_exec:file rx_file_perms;
 
 # Read/write wallpaper file (opened by system).
-allow appdomain wallpaper_file:file { getattr read write };
+allow appdomain wallpaper_file:file { getattr read write map };
 
 # Read/write cached ringtones (opened by system).
-allow appdomain ringtone_file:file { getattr read write };
+allow appdomain ringtone_file:file { getattr read write map };
 
 # Read ShortcutManager icon files (opened by system).
-allow appdomain shortcut_manager_icons:file { getattr read };
+allow appdomain shortcut_manager_icons:file { getattr read map };
 
 # Read icon file (opened by system).
-allow appdomain icon_file:file { getattr read };
+allow appdomain icon_file:file { getattr read map };
 
 # Old stack dumping scheme : append to a global trace file (/data/anr/traces.txt).
 #
@@ -231,12 +231,12 @@ allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdow
 
 # Backup ability for every app. BMS opens and passes the fd
 # to any app that has backup ability. Hence, no open permissions here.
-allow appdomain backup_data_file:file { read write getattr };
-allow appdomain cache_backup_file:file { read write getattr };
+allow appdomain backup_data_file:file { read write getattr map };
+allow appdomain cache_backup_file:file { read write getattr map };
 allow appdomain cache_backup_file:dir getattr;
 # Backup ability using 'adb backup'
 allow appdomain system_data_file:lnk_file r_file_perms;
-allow appdomain system_data_file:file { getattr read };
+allow appdomain system_data_file:file { getattr read map };
 
 # Allow read/stat of /data/media files passed by Binder or local socket IPC.
 allow { appdomain -isolated_app } media_rw_data_file:file { read getattr };
diff --git a/public/dex2oat.te b/public/dex2oat.te
index 75a3018be..2e96352fc 100644
--- a/public/dex2oat.te
+++ b/public/dex2oat.te
@@ -7,9 +7,9 @@ r_dir_file(dex2oat, apk_data_file)
 r_dir_file(dex2oat, vendor_app_file)
 # Access /vendor/framework
 allow dex2oat vendor_framework_file:dir { getattr search };
-allow dex2oat vendor_framework_file:file { getattr open read };
+allow dex2oat vendor_framework_file:file { getattr open read map };
 
-allow dex2oat tmpfs:file { read getattr };
+allow dex2oat tmpfs:file { read getattr map };
 
 r_dir_file(dex2oat, dalvikcache_data_file)
 allow dex2oat dalvikcache_data_file:file write;
@@ -24,16 +24,16 @@ allow dex2oat system_file:file lock;
 # Read already open asec_apk_file file descriptors passed by installd.
 # Also allow reading unlabeled files, to allow for upgrading forward
 # locked APKs.
-allow dex2oat asec_apk_file:file read;
-allow dex2oat unlabeled:file read;
-allow dex2oat oemfs:file read;
+allow dex2oat asec_apk_file:file { read map };
+allow dex2oat unlabeled:file { read map };
+allow dex2oat oemfs:file { read map };
 allow dex2oat apk_tmp_file:dir search;
 allow dex2oat apk_tmp_file:file r_file_perms;
-allow dex2oat user_profile_data_file:file { getattr read lock };
+allow dex2oat user_profile_data_file:file { getattr read lock map };
 
 # Allow dex2oat to compile app's secondary dex files which were reported back to
 # the framework.
-allow dex2oat { privapp_data_file app_data_file }:file { getattr read write lock };
+allow dex2oat { privapp_data_file app_data_file }:file { getattr read write lock map };
 
 ##################
 # A/B OTA Dexopt #
diff --git a/public/drmserver.te b/public/drmserver.te
index 1a675beba..23ba9a6d7 100644
--- a/public/drmserver.te
+++ b/public/drmserver.te
@@ -21,8 +21,8 @@ allow drmserver sdcard_type:dir search;
 allow drmserver drm_data_file:dir create_dir_perms;
 allow drmserver drm_data_file:file create_file_perms;
 allow drmserver tee_device:chr_file rw_file_perms;
-allow drmserver { app_data_file privapp_data_file }:file { read write getattr };
-allow drmserver sdcard_type:file { read write getattr };
+allow drmserver { app_data_file privapp_data_file }:file { read write getattr map };
+allow drmserver sdcard_type:file { read write getattr map };
 r_dir_file(drmserver, efs_file)
 
 type drmserver_socket, file_type;
@@ -38,12 +38,12 @@ allow drmserver apk_data_file:sock_file unlink;
 r_dir_file(drmserver, media_rw_data_file)
 
 # Read resources from open apk files passed over Binder.
-allow drmserver apk_data_file:file { read getattr };
-allow drmserver asec_apk_file:file { read getattr };
-allow drmserver ringtone_file:file { read getattr };
+allow drmserver apk_data_file:file { read getattr map };
+allow drmserver asec_apk_file:file { read getattr map };
+allow drmserver ringtone_file:file { read getattr map };
 
 # Read /data/data/com.android.providers.telephony files passed over Binder.
-allow drmserver radio_data_file:file { read getattr };
+allow drmserver radio_data_file:file { read getattr map };
 
 # /oem access
 allow drmserver oemfs:dir search;
diff --git a/public/init.te b/public/init.te
index aa51a2f28..5db0ab3bd 100644
--- a/public/init.te
+++ b/public/init.te
@@ -180,7 +180,7 @@ allow init {
   -system_file
   -vendor_file_type
   -vold_data_file
-}:file { create getattr open read write setattr relabelfrom unlink };
+}:file { create getattr open read write setattr relabelfrom unlink map };
 
 allow init {
   file_type
diff --git a/public/te_macros b/public/te_macros
index 5c1eeeace..febfe557f 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -358,7 +358,7 @@ allow $1 hwservicemanager:binder { call transfer };
 allow hwservicemanager $1:binder { call transfer };
 # hwservicemanager performs getpidcon on clients.
 allow hwservicemanager $1:dir search;
-allow hwservicemanager $1:file { read open };
+allow hwservicemanager $1:file { read open map };
 allow hwservicemanager $1:process getattr;
 # rw access to /dev/hwbinder and /dev/ashmem is presently granted to
 # all domains in domain.te.
@@ -374,7 +374,7 @@ allow $1 vndbinder_device:chr_file rw_file_perms;
 allow $1 vndservicemanager:binder { call transfer };
 # vndservicemanager performs getpidcon on clients.
 allow vndservicemanager $1:dir search;
-allow vndservicemanager $1:file { read open };
+allow vndservicemanager $1:file { read open map };
 allow vndservicemanager $1:process getattr;
 ')
 
-- 
GitLab