Explicitly allow system_server to (m)map data files Linux kernel 4.14+ SELinux starts explicit map permission check for file mmap operations. Add this permission to system_server for data file access, which is used in scenario such as "adb install" of APK's. test: no longer see SELinux map denial on "adb install" Change-Id: Id6016dd0b3f15dfdb0f02509ea812dee61ac78ed

commit: 383471c267b6792f1625f8f771d8e0c0b9090300 [log] [tgz]
author: David Ng <dave@codeaurora.org> Wed Apr 11 10:43:57 2018 -0700
committer: Benjamin Gordon <bmgordon@google.com> Fri Aug 10 20:56:45 2018 +0000
tree: 77f61462c798015f5f9984fc7a847908de91eedd
parent: c8ed855edec0bf11cfcb6a713fd988e6d00dccc9 [diff]
diff --git a/private/system_server.te b/private/system_server.te
index bbd031b..d1e09be 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -481,7 +481,7 @@
   shell_data_file
   app_data_file
   privapp_data_file
-}:file { getattr read write append };
+}:file { getattr read write append map };
 
 # Access to /data/media for measuring disk usage.
 allow system_server media_rw_data_file:dir { search getattr open read };
commit	383471c267b6792f1625f8f771d8e0c0b9090300	[log] [tgz]
author	David Ng <dave@codeaurora.org>	Wed Apr 11 10:43:57 2018 -0700
committer	Benjamin Gordon <bmgordon@google.com>	Fri Aug 10 20:56:45 2018 +0000
tree	77f61462c798015f5f9984fc7a847908de91eedd
parent	c8ed855edec0bf11cfcb6a713fd988e6d00dccc9 [diff]