Allow apps to use mmap on fuse fds.

This is needed for the following denial: type=1400 audit(0.0:124): avc: denied { map } for comm=54696D652D6C696D69746564207465 path="/mnt/appfuse/10182_2/2" dev="fuse" ino=2 scontext=u:r:untrusted_app:s0:c182,c256,c512,c768 tcontext=u:object_r:app_fuse_file:s0 tclass=file permissive=0 Bug: 150801745 Test: atest CtsBlobStoreTestCases:com.android.cts.blob.BlobStoreManagerTest#testOpenBlob -- --abi x86 Merged-In: Ib7ca64e11b24f8835874698df15a9a0fdce67454 Change-Id: I4dc4ce91da3513a2d1f08ada401741f6d5a090c3
2020-03-04 17:21:18 -08:00 · 2020-03-04 17:21:18 -08:00 · 975215578f
commit 975215578f
parent 4e47834266
1 changed files with 1 additions and 1 deletions
--- a/public/app.te
+++ b/public/app.te
@ -317,7 +317,7 @@ allow appdomain same_process_hal_file:file { execute read open getattr map };
 allow appdomain proc_meminfo:file r_file_perms;

 # For app fuse.
-allow appdomain app_fuse_file:file { getattr read append write };
+allow appdomain app_fuse_file:file { getattr read append write map };

 pdx_client({ appdomain -isolated_app -ephemeral_app }, display_client)
 pdx_client({ appdomain -isolated_app -ephemeral_app }, display_manager)