Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 770214abda856659d00874467ea0bcb250ac848f^1..770214abda856659d00874467ea0bcb250ac848f / .
commit770214abda856659d00874467ea0bcb250ac848f[log] [tgz]
authorTreehugger Robot <treehugger-gerrit@google.com>Thu Jul 13 16:56:46 2017 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>Thu Jul 13 16:56:46 2017 +0000
treed6b483f1120b50e985fc53ab3626b320b94fcfb6
parent580a0f2b98362616dfc68e102e64f570c33fac04 [diff]
parent4397f08288890ef397697b4d6dbff596bdca14c8 [diff]
Merge "sepolicy: Define and allow map permission"
diff --git a/private/access_vectors b/private/access_vectors
index ad4624d..e45d0b2 100644
--- a/private/access_vectors
+++ b/private/access_vectors

@@ -20,6 +20,7 @@
 	relabelfrom
 	relabelto
 	append
+	map
 	unlink
 	link
 	rename
@@ -46,6 +47,7 @@
 	relabelfrom
 	relabelto
 	append
+	map
 # socket-specific
 	bind
 	connect

diff --git a/public/domain.te b/public/domain.te
index ed7403b..5e72143 100644
--- a/public/domain.te
+++ b/public/domain.te

@@ -94,7 +94,7 @@
 
 # System file accesses.
 allow domain system_file:dir { search getattr };
-allow domain system_file:file { execute read open getattr };
+allow domain system_file:file { execute read open getattr map };
 allow domain system_file:lnk_file { getattr read };
 
 # read any sysfs symlinks

diff --git a/public/global_macros b/public/global_macros
index 4ea8dc3..bcfb686 100644
--- a/public/global_macros
+++ b/public/global_macros

@@ -18,9 +18,9 @@
 #####################################
 # Common groupings of permissions.
 #
-define(`x_file_perms', `{ getattr execute execute_no_trans }')
-define(`r_file_perms', `{ getattr open read ioctl lock }')
-define(`w_file_perms', `{ open append write lock }')
+define(`x_file_perms', `{ getattr execute execute_no_trans map }')
+define(`r_file_perms', `{ getattr open read ioctl lock map }')
+define(`w_file_perms', `{ open append write lock map }')
 define(`rx_file_perms', `{ r_file_perms x_file_perms }')
 define(`ra_file_perms', `{ r_file_perms append }')
 define(`rw_file_perms', `{ r_file_perms w_file_perms }')

diff --git a/public/te_macros b/public/te_macros
index ee19b00..049ac8e 100644
--- a/public/te_macros
+++ b/public/te_macros

@@ -8,10 +8,10 @@
 #
 define(`domain_trans', `
 # Old domain may exec the file and transition to the new domain.
-allow $1 $2:file { getattr open read execute };
+allow $1 $2:file { getattr open read execute map };
 allow $1 $3:process transition;
 # New domain is entered by executing the file.
-allow $3 $2:file { entrypoint open read execute getattr };
+allow $3 $2:file { entrypoint open read execute getattr map };
 # New domain can send SIGCHLD to its caller.
 ifelse($1, `init', `', `allow $3 $1:process sigchld;')
 # Enable AT_SECURE, i.e. libc secure mode.