Allow dexoptanalyzer to mmap files with Linux 4.14+ that it can already access.
SELinux has a separate file mmap permission in 4.14+ kernels. Add this to dexoptanalyzer(d) in cases where it could already access files (in particular, secondary dex files). Addresses denials of the form: avc: denied { map } for […] path="/data/data/[…]" […] scontext=u:r:dexoptanalyzer:s0 tcontext=u:object_r:app_data_file:s0 Test: Reproduce steps in bug 138683603 on a device with a 4.14+ kernel and check the absence of SELinux denials Bug: 138683603 Change-Id: Ieba53eb431c0ba3914dcb5e5abdae667bd063555
This commit is contained in:
parent
3e7429359f
commit
c72b7d1731
1 changed files with 1 additions and 1 deletions
|
@ -25,7 +25,7 @@ allow dexoptanalyzer system_file:file lock;
|
|||
# Allow reading secondary dex files that were reported by the app to the
|
||||
# package manager.
|
||||
allow dexoptanalyzer { privapp_data_file app_data_file }:dir { getattr search };
|
||||
allow dexoptanalyzer { privapp_data_file app_data_file }:file { getattr read };
|
||||
allow dexoptanalyzer { privapp_data_file app_data_file }:file { getattr read map };
|
||||
# dexoptanalyzer calls access(2) with W_OK flag on app data. We can use the
|
||||
# "dontaudit...audit_access" policy line to suppress the audit access without
|
||||
# suppressing denial on actual access.
|
||||
|
|
Loading…
Reference in a new issue