From 975215578f0b10a35a36c02e7f265a063796729e Mon Sep 17 00:00:00 2001 From: Sudheer Shanka Date: Wed, 4 Mar 2020 17:21:18 -0800 Subject: [PATCH] Allow apps to use mmap on fuse fds. This is needed for the following denial: type=1400 audit(0.0:124): avc: denied { map } for comm=54696D652D6C696D69746564207465 path="/mnt/appfuse/10182_2/2" dev="fuse" ino=2 scontext=u:r:untrusted_app:s0:c182,c256,c512,c768 tcontext=u:object_r:app_fuse_file:s0 tclass=file permissive=0 Bug: 150801745 Test: atest CtsBlobStoreTestCases:com.android.cts.blob.BlobStoreManagerTest#testOpenBlob -- --abi x86 Merged-In: Ib7ca64e11b24f8835874698df15a9a0fdce67454 Change-Id: I4dc4ce91da3513a2d1f08ada401741f6d5a090c3 --- public/app.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/public/app.te b/public/app.te index 235d3f808..e5b9fd670 100644 --- a/public/app.te +++ b/public/app.te @@ -317,7 +317,7 @@ allow appdomain same_process_hal_file:file { execute read open getattr map }; allow appdomain proc_meminfo:file r_file_perms; # For app fuse. -allow appdomain app_fuse_file:file { getattr read append write }; +allow appdomain app_fuse_file:file { getattr read append write map }; pdx_client({ appdomain -isolated_app -ephemeral_app }, display_client) pdx_client({ appdomain -isolated_app -ephemeral_app }, display_manager)