Sepolicy: Fix asanwrapper
Add asanwrapper support for system server under sanitization.
Bug: 36138508
Test: m && m SANITIZE_TARGET=address SANITIZE_LITE=true
Test: adb root && adb shell setprop wrap.system_server asanwrapper
Change-Id: Id930690d2cfd8334c933e0ec5ac62f88850331d0
diff --git a/private/system_server.te b/private/system_server.te
index d02698c..89b14a9 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -22,6 +22,9 @@
# Report dalvikcache_data_file:file execute violations.
auditallow system_server dalvikcache_data_file:file execute;
')
+# When running system server under --invoke-with, we'll try to load the boot image under the
+# system server domain, following links to the system partition.
+with_asan(`allow system_server dalvikcache_data_file:lnk_file r_file_perms;')
# /data/resource-cache
allow system_server resourcecache_data_file:file r_file_perms;
@@ -655,6 +658,7 @@
# asanwrapper.
with_asan(`
allow system_server shell_exec:file rx_file_perms;
+ allow system_server asanwrapper_exec:file rx_file_perms;
')
###
@@ -682,7 +686,7 @@
file_type
-toolbox_exec
-logcat_exec
- with_asan(`-shell_exec')
+ with_asan(`-shell_exec -asanwrapper_exec -zygote_exec')
}:file execute_no_trans;
# Ensure that system_server doesn't perform any domain transitions other than