Allow dexoptanalyzer to mmap files with Linux 4.14+ that it can already access. SELinux has a separate file mmap permission in 4.14+ kernels. Add this to dexoptanalyzer(d) in cases where it could already access files (in particular, secondary dex files). Addresses denials of the form: avc: denied { map } for […] path="/data/data/[…]" […] scontext=u:r:dexoptanalyzer:s0 tcontext=u:object_r:app_data_file:s0 Test: Reproduce steps in bug 138683603 on a device with a 4.14+ kernel and check the absence of SELinux denials Bug: 138683603 Change-Id: Ieba53eb431c0ba3914dcb5e5abdae667bd063555

commit: c72b7d17310499f6bd6545e0e509fd603045d329 [log] [tgz]
author: Roland Levillain <rpl@google.com> Fri Aug 16 19:56:03 2019 +0100
committer: Roland Levillain <rpl@google.com> Fri Aug 16 20:02:32 2019 +0100
tree: 645cd24b5d783939e1cd7650d83fdd0e7e6de8c6
parent: 3e7429359fd5cf724cfe02efec52f5485c217c9b [diff]
diff --git a/private/dexoptanalyzer.te b/private/dexoptanalyzer.te
index a978af6..1f92462 100644
--- a/private/dexoptanalyzer.te
+++ b/private/dexoptanalyzer.te

@@ -25,7 +25,7 @@
 # Allow reading secondary dex files that were reported by the app to the
 # package manager.
 allow dexoptanalyzer { privapp_data_file app_data_file }:dir { getattr search };
-allow dexoptanalyzer { privapp_data_file app_data_file }:file { getattr read };
+allow dexoptanalyzer { privapp_data_file app_data_file }:file { getattr read map };
 # dexoptanalyzer calls access(2) with W_OK flag on app data. We can use the
 # "dontaudit...audit_access" policy line to suppress the audit access without
 # suppressing denial on actual access.
commit	c72b7d17310499f6bd6545e0e509fd603045d329	[log] [tgz]
author	Roland Levillain <rpl@google.com>	Fri Aug 16 19:56:03 2019 +0100
committer	Roland Levillain <rpl@google.com>	Fri Aug 16 20:02:32 2019 +0100
tree	645cd24b5d783939e1cd7650d83fdd0e7e6de8c6
parent	3e7429359fd5cf724cfe02efec52f5485c217c9b [diff]