Relax some neverallow rules
Kernels above 4.14 have a new mmap permission. However, neverallow rules
exclude the use of mmap, even when file FDs are passable across the
vendor/non-vendor boundary. Since we allow reading / writing of passed
file descriptors, also allow the use of mmap for passed file
descriptors.
Bug: 112171217
Test: policy compiles
Change-Id: I8176f86960bdff0cf5de770809510e9df5d62db9
diff --git a/public/domain.te b/public/domain.te
index 85b8ff2..a049094 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -819,7 +819,7 @@
} {
data_file_type
-core_data_file_type
- }:file_class_set ~{ append getattr ioctl read write };
+ }:file_class_set ~{ append getattr ioctl read write map };
')
full_treble_only(`
neverallow {
@@ -851,7 +851,7 @@
# files in /data/misc/zoneinfo/tzdata file. These functions are considered
# vndk-stable and thus must be allowed for all processes.
-zoneinfo_data_file
- }:file_class_set ~{ append getattr ioctl read write };
+ }:file_class_set ~{ append getattr ioctl read write map };
neverallow {
vendor_init
-data_between_core_and_vendor_violators
@@ -859,7 +859,7 @@
core_data_file_type
-unencrypted_data_file
-zoneinfo_data_file
- }:file_class_set ~{ append getattr ioctl read write };
+ }:file_class_set ~{ append getattr ioctl read write map };
# vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
# The vendor init binary lives on the system partition so there is not a concern with stability.
neverallow vendor_init unencrypted_data_file:file ~r_file_perms;
@@ -925,7 +925,7 @@
-init
} {
vendor_data_file # default label for files on /data/vendor{,_ce,_de}.
- }:file_class_set ~{ append getattr ioctl read write };
+ }:file_class_set ~{ append getattr ioctl read write map };
')
# On TREBLE devices, a limited set of files in /vendor are accessible to