commit 24537b2e9607dbc7aaf3687a9d6031cc811c06f0
author John Stultz <john.stultz@linaro.org> Tue Aug 22 22:10:33 2017 -0700
committer John Stultz <john.stultz@linaro.org> Wed Aug 23 05:41:36 2017 +0000
tree c31e5ec18fcae422f53058df24098162c8c63ec9
parent ced80e801b85220c99a7b97a8b1ac23afd7608d3

sepolicy: Define and allow map permission for vendor dir

This patch tries to provide similar functionality as the previous
change made here:
https://android-review.googlesource.com/#/c/platform/system/sepolicy/+/432339/

Only, making sure we add the same map permissions for the vendor
directory.

Change-Id: Ia965df2881cdee8bb5d81278a1eb740def582871
Signed-off-by: John Stultz <john.stultz@linaro.org>

public/domain.te

diff --git a/public/domain.te b/public/domain.te
index 8ea0bb8..7e1d6c2 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -106,7 +106,7 @@
 # devices
 not_full_treble(`
     allow domain vendor_file_type:dir { search getattr };
-    allow domain vendor_file_type:file { execute read open getattr };
+    allow domain vendor_file_type:file { execute read open getattr map };
     allow domain vendor_file_type:lnk_file { getattr read };
 ')
 
@@ -117,12 +117,12 @@
 
 # Everyone can read and execute all same process HALs
 allow domain same_process_hal_file:dir r_dir_perms;
-allow domain same_process_hal_file:file { execute read open getattr };
+allow domain same_process_hal_file:file { execute read open getattr map };
 
 # Any process can load vndk-sp libraries, which are system libraries
 # used by same process HALs
 allow domain vndk_sp_file:dir r_dir_perms;
-allow domain vndk_sp_file:file { execute read open getattr };
+allow domain vndk_sp_file:file { execute read open getattr map };
 
 # All domains get access to /vendor/etc
 allow domain vendor_configs_file:dir r_dir_perms;
@@ -139,7 +139,7 @@
 
     # Allow reading and executing out of /vendor to all vendor domains
     allow { domain -coredomain } vendor_file_type:dir r_dir_perms;
-    allow { domain -coredomain } vendor_file_type:file { read open getattr execute };
+    allow { domain -coredomain } vendor_file_type:file { read open getattr execute map };
     allow { domain -coredomain } vendor_file_type:lnk_file { getattr read };
 ')
 

public/te_macros

diff --git a/public/te_macros b/public/te_macros
index 6b41400..e1f0644 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -232,7 +232,7 @@
 # Find passthrough HAL implementations
 allow $2 system_file:dir r_dir_perms;
 allow $2 vendor_file:dir r_dir_perms;
-allow $2 vendor_file:file { read open getattr execute };
+allow $2 vendor_file:file { read open getattr execute map };
 ')
 ')
 
@@ -251,7 +251,7 @@
 # Find passthrough HAL implementations
 allow $2 system_file:dir r_dir_perms;
 allow $2 vendor_file:dir r_dir_perms;
-allow $2 vendor_file:file { read open getattr execute };
+allow $2 vendor_file:file { read open getattr execute map };
 ')
 
 #####################################