Allow dexoptanalyzer to mmap files with Linux 4.14+ that it can already access.

SELinux has a separate file mmap permission in 4.14+ kernels. Add this to dexoptanalyzer(d) in cases where it could already access files (in particular, secondary dex files). Addresses denials of the form: avc: denied { map } for […] path="/data/data/[…]" […] scontext=u:r:dexoptanalyzer:s0 tcontext=u:object_r:app_data_file:s0 Test: Reproduce steps in bug 138683603 on a device with a 4.14+ kernel and check the absence of SELinux denials Bug: 138683603 Change-Id: Ieba53eb431c0ba3914dcb5e5abdae667bd063555
2019-08-16 19:56:03 +01:00 · 2019-08-16 19:56:03 +01:00 · c72b7d1731
commit c72b7d1731
parent 3e7429359f
1 changed files with 1 additions and 1 deletions
--- a/private/dexoptanalyzer.te
+++ b/private/dexoptanalyzer.te
@ -25,7 +25,7 @@ allow dexoptanalyzer system_file:file lock;
 # Allow reading secondary dex files that were reported by the app to the
 # package manager.
 allow dexoptanalyzer { privapp_data_file app_data_file }:dir { getattr search };
-allow dexoptanalyzer { privapp_data_file app_data_file }:file { getattr read };
+allow dexoptanalyzer { privapp_data_file app_data_file }:file { getattr read map };
 # dexoptanalyzer calls access(2) with W_OK flag on app data. We can use the
 # "dontaudit...audit_access" policy line to suppress the audit access without
 # suppressing denial on actual access.