Allow isolated to map staged apks type=1400 audit(0.0:189): avc: denied { map } for path="/data/app/vmdl1214904451.tmp/base.apk" dev="dm-57" ino=23033 scontext=u:r:isolated_app:s0:c512,c768 tcontext=u:object_r:apk_tmp_file:s0 tclass=file permissive=0 Bug: 349888347 Test: Flashed to device with and without this change, confirmed that this change allows an isolated process to map already opened staged apk file Change-Id: I64b2a9855ca3e539d4d306b75ab3686bef4a007e

commit: 2eff31b0293ead6caed525db6546c395a1c74b57 [log] [tgz]
author: William Luh <williamluh@google.com> Fri Jun 28 20:44:06 2024 +0000
committer: William Luh <williamluh@google.com> Fri Jun 28 20:44:06 2024 +0000
tree: 1f7d69274706727f1cbbcefa0acc16d8a7f3da06
parent: b2199877bf97c378873a15d27b5adbc01a437474 [diff] [blame]
diff --git a/private/isolated_app_all.te b/private/isolated_app_all.te
index 8c1fdcb..12b1794 100644
--- a/private/isolated_app_all.te
+++ b/private/isolated_app_all.te

@@ -32,8 +32,8 @@
 # suppress denials to /data/local/tmp
 dontaudit isolated_app_all shell_data_file:dir search;
 
-# Allow to read (but not open) staged apks.
-allow isolated_app_all { apk_tmp_file apk_private_tmp_file }:file { read getattr };
+# Allow to read, map (but not open) staged apks.
+allow isolated_app_all { apk_tmp_file apk_private_tmp_file }:file { read getattr map };
 
 #####
 ##### Neverallow
commit	2eff31b0293ead6caed525db6546c395a1c74b57	[log] [tgz]
author	William Luh <williamluh@google.com>	Fri Jun 28 20:44:06 2024 +0000
committer	William Luh <williamluh@google.com>	Fri Jun 28 20:44:06 2024 +0000
tree	1f7d69274706727f1cbbcefa0acc16d8a7f3da06
parent	b2199877bf97c378873a15d27b5adbc01a437474 [diff] [blame]