From c72b7d17310499f6bd6545e0e509fd603045d329 Mon Sep 17 00:00:00 2001 From: Roland Levillain Date: Fri, 16 Aug 2019 19:56:03 +0100 Subject: [PATCH] Allow dexoptanalyzer to mmap files with Linux 4.14+ that it can already access. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit SELinux has a separate file mmap permission in 4.14+ kernels. Add this to dexoptanalyzer(d) in cases where it could already access files (in particular, secondary dex files). Addresses denials of the form: avc: denied { map } for […] path="/data/data/[…]" […] scontext=u:r:dexoptanalyzer:s0 tcontext=u:object_r:app_data_file:s0 Test: Reproduce steps in bug 138683603 on a device with a 4.14+ kernel and check the absence of SELinux denials Bug: 138683603 Change-Id: Ieba53eb431c0ba3914dcb5e5abdae667bd063555 --- private/dexoptanalyzer.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/private/dexoptanalyzer.te b/private/dexoptanalyzer.te index a978af6c6..1f9246230 100644 --- a/private/dexoptanalyzer.te +++ b/private/dexoptanalyzer.te @@ -25,7 +25,7 @@ allow dexoptanalyzer system_file:file lock; # Allow reading secondary dex files that were reported by the app to the # package manager. allow dexoptanalyzer { privapp_data_file app_data_file }:dir { getattr search }; -allow dexoptanalyzer { privapp_data_file app_data_file }:file { getattr read }; +allow dexoptanalyzer { privapp_data_file app_data_file }:file { getattr read map }; # dexoptanalyzer calls access(2) with W_OK flag on app data. We can use the # "dontaudit...audit_access" policy line to suppress the audit access without # suppressing denial on actual access.