Sepolicy: Allow system server to exec zygote_exec
Under ASAN, allow system-server to execute app_process. This is
required for wrap-property execution.
Bug: 36138508
Test: m && SANITIZE_TARGET m
Change-Id: Ic637e5205ea86e0edcd66ab387e89b27afef6b99
diff --git a/private/system_server.te b/private/system_server.te
index 208eb73..a1c4a1f 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -661,11 +661,12 @@
allow system_server debugfs_tracing_instances:dir search;
allow system_server debugfs_wifi_tracing:file rw_file_perms;
-# allow system_server to exec shell on ASAN builds. Needed to run
+# allow system_server to exec shell, asanwrapper & zygote(app_process) on ASAN builds. Needed to run
# asanwrapper.
with_asan(`
allow system_server shell_exec:file rx_file_perms;
allow system_server asanwrapper_exec:file rx_file_perms;
+ allow system_server zygote_exec:file rx_file_perms;
')
###