92 lines
3.5 KiB
Diff
92 lines
3.5 KiB
Diff
From af4188bc5971cafc7f3e1473e2da15fcf94cbe60 Mon Sep 17 00:00:00 2001
|
|
From: Benjamin Gordon <bmgordon@google.com>
|
|
Date: Wed, 22 Aug 2018 06:30:51 -0600
|
|
Subject: [PATCH 22/26] sepolicy: Add mmap for profman
|
|
|
|
SELinux has a separate file mmap permission in 4.14+ kernels. Add this
|
|
to profman in cases where it could already access files.
|
|
|
|
Bug: 112990132
|
|
Test: atest com.android.cts.dexmetadata.InstallDexMetadataHostTest
|
|
Change-Id: I4f3cd55fbd4d0052500f07aac7d286c397758abc
|
|
---
|
|
prebuilts/api/28.0/public/profman.te | 14 +++++++-------
|
|
public/profman.te | 14 +++++++-------
|
|
2 files changed, 14 insertions(+), 14 deletions(-)
|
|
|
|
diff --git a/prebuilts/api/28.0/public/profman.te b/prebuilts/api/28.0/public/profman.te
|
|
index 4296d1b1..da639b0a 100644
|
|
--- a/prebuilts/api/28.0/public/profman.te
|
|
+++ b/prebuilts/api/28.0/public/profman.te
|
|
@@ -2,24 +2,24 @@
|
|
type profman, domain;
|
|
type profman_exec, exec_type, file_type;
|
|
|
|
-allow profman user_profile_data_file:file { getattr read write lock };
|
|
+allow profman user_profile_data_file:file { getattr read write lock map };
|
|
|
|
# Dumping profile info opens the application APK file for pretty printing.
|
|
-allow profman asec_apk_file:file { read };
|
|
-allow profman apk_data_file:file { getattr read };
|
|
+allow profman asec_apk_file:file { read map };
|
|
+allow profman apk_data_file:file { getattr read map };
|
|
allow profman apk_data_file:dir { getattr read search };
|
|
|
|
-allow profman oemfs:file { read };
|
|
+allow profman oemfs:file { read map };
|
|
# Reading an APK opens a ZipArchive, which unpack to tmpfs.
|
|
-allow profman tmpfs:file { read };
|
|
-allow profman profman_dump_data_file:file { write };
|
|
+allow profman tmpfs:file { read map };
|
|
+allow profman profman_dump_data_file:file { write map };
|
|
|
|
allow profman installd:fd use;
|
|
|
|
# Allow profman to analyze profiles for the secondary dex files. These
|
|
# are application dex files reported back to the framework when using
|
|
# BaseDexClassLoader.
|
|
-allow profman app_data_file:file { getattr read write lock };
|
|
+allow profman app_data_file:file { getattr read write lock map };
|
|
allow profman app_data_file:dir { getattr read search };
|
|
|
|
###
|
|
diff --git a/public/profman.te b/public/profman.te
|
|
index 4296d1b1..da639b0a 100644
|
|
--- a/public/profman.te
|
|
+++ b/public/profman.te
|
|
@@ -2,24 +2,24 @@
|
|
type profman, domain;
|
|
type profman_exec, exec_type, file_type;
|
|
|
|
-allow profman user_profile_data_file:file { getattr read write lock };
|
|
+allow profman user_profile_data_file:file { getattr read write lock map };
|
|
|
|
# Dumping profile info opens the application APK file for pretty printing.
|
|
-allow profman asec_apk_file:file { read };
|
|
-allow profman apk_data_file:file { getattr read };
|
|
+allow profman asec_apk_file:file { read map };
|
|
+allow profman apk_data_file:file { getattr read map };
|
|
allow profman apk_data_file:dir { getattr read search };
|
|
|
|
-allow profman oemfs:file { read };
|
|
+allow profman oemfs:file { read map };
|
|
# Reading an APK opens a ZipArchive, which unpack to tmpfs.
|
|
-allow profman tmpfs:file { read };
|
|
-allow profman profman_dump_data_file:file { write };
|
|
+allow profman tmpfs:file { read map };
|
|
+allow profman profman_dump_data_file:file { write map };
|
|
|
|
allow profman installd:fd use;
|
|
|
|
# Allow profman to analyze profiles for the secondary dex files. These
|
|
# are application dex files reported back to the framework when using
|
|
# BaseDexClassLoader.
|
|
-allow profman app_data_file:file { getattr read write lock };
|
|
+allow profman app_data_file:file { getattr read write lock map };
|
|
allow profman app_data_file:dir { getattr read search };
|
|
|
|
###
|
|
--
|
|
2.17.1
|
|
|