lineage_patches_unified/patches/platform_system_sepolicy/0019-Relax-some-neverallow-rules.patch

From 782636c9e2be240ec48543ca5171bf2ea2bc0f38 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Tue, 7 Aug 2018 13:44:20 -0700
Subject: [PATCH 19/26] Relax some neverallow rules

Kernels above 4.14 have a new mmap permission. However, neverallow rules
exclude the use of mmap, even when file FDs are passable across the
vendor/non-vendor boundary. Since we allow reading / writing of passed
file descriptors, also allow the use of mmap for passed file
descriptors.

Bug: 112171217
Test: policy compiles
Change-Id: I8176f86960bdff0cf5de770809510e9df5d62db9
---
 prebuilts/api/28.0/public/domain.te | 8 ++++----
 public/domain.te                    | 8 ++++----
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/prebuilts/api/28.0/public/domain.te b/prebuilts/api/28.0/public/domain.te
index a0a19166..26ce1a00 100644
--- a/prebuilts/api/28.0/public/domain.te
+++ b/prebuilts/api/28.0/public/domain.te
@@ -818,7 +818,7 @@ full_treble_only(`
   } {
     data_file_type
     -core_data_file_type
-  }:file_class_set ~{ append getattr ioctl read write };
+  }:file_class_set ~{ append getattr ioctl read write map };
 ')
 full_treble_only(`
   neverallow {
@@ -850,7 +850,7 @@ full_treble_only(`
     # files in /data/misc/zoneinfo/tzdata file. These functions are considered
     # vndk-stable and thus must be allowed for all processes.
     -zoneinfo_data_file
-  }:file_class_set ~{ append getattr ioctl read write };
+  }:file_class_set ~{ append getattr ioctl read write map };
   neverallow {
     vendor_init
     -data_between_core_and_vendor_violators
@@ -858,7 +858,7 @@ full_treble_only(`
     core_data_file_type
     -unencrypted_data_file
     -zoneinfo_data_file
-  }:file_class_set ~{ append getattr ioctl read write };
+  }:file_class_set ~{ append getattr ioctl read write map };
   # vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
   # The vendor init binary lives on the system partition so there is not a concern with stability.
   neverallow vendor_init unencrypted_data_file:file ~r_file_perms;
@@ -924,7 +924,7 @@ full_treble_only(`
     -init
     } {
       vendor_data_file # default label for files on /data/vendor{,_ce,_de}.
-    }:file_class_set ~{ append getattr ioctl read write };
+    }:file_class_set ~{ append getattr ioctl read write map };
 ')
 
 # On TREBLE devices, a limited set of files in /vendor are accessible to
diff --git a/public/domain.te b/public/domain.te
index a0a19166..26ce1a00 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -818,7 +818,7 @@ full_treble_only(`
   } {
     data_file_type
     -core_data_file_type
-  }:file_class_set ~{ append getattr ioctl read write };
+  }:file_class_set ~{ append getattr ioctl read write map };
 ')
 full_treble_only(`
   neverallow {
@@ -850,7 +850,7 @@ full_treble_only(`
     # files in /data/misc/zoneinfo/tzdata file. These functions are considered
     # vndk-stable and thus must be allowed for all processes.
     -zoneinfo_data_file
-  }:file_class_set ~{ append getattr ioctl read write };
+  }:file_class_set ~{ append getattr ioctl read write map };
   neverallow {
     vendor_init
     -data_between_core_and_vendor_violators
@@ -858,7 +858,7 @@ full_treble_only(`
     core_data_file_type
     -unencrypted_data_file
     -zoneinfo_data_file
-  }:file_class_set ~{ append getattr ioctl read write };
+  }:file_class_set ~{ append getattr ioctl read write map };
   # vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
   # The vendor init binary lives on the system partition so there is not a concern with stability.
   neverallow vendor_init unencrypted_data_file:file ~r_file_perms;
@@ -924,7 +924,7 @@ full_treble_only(`
     -init
     } {
       vendor_data_file # default label for files on /data/vendor{,_ce,_de}.
-    }:file_class_set ~{ append getattr ioctl read write };
+    }:file_class_set ~{ append getattr ioctl read write map };
 ')
 
 # On TREBLE devices, a limited set of files in /vendor are accessible to
-- 
2.17.1