From 4397f08288890ef397697b4d6dbff596bdca14c8 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Mon, 10 Jul 2017 09:32:10 -0400
Subject: [PATCH] sepolicy: Define and allow map permission

Kernel commit 3ba4bf5f1e2c ("selinux: add a map permission check for mmap")
added a map permission check on mmap so that we can
distinguish memory mapped access (since it has different implications
for revocation).  The purpose of a separate map permission check on
mmap(2) is to permit policy to prohibit memory mapping of specific files
for which we need to ensure that every access is revalidated, particularly
useful for scenarios where we expect the file to be relabeled at runtime
in order to reflect state changes (e.g. cross-domain solution, assured
pipeline without data copying).  The kernel commit is anticipated to
be included in Linux 4.13.

This change defines map permission for the Android policy.  It mirrors
the definition in the kernel classmap by adding it to the common
definitions for files and sockets.  This will break compatibility for
kernels that predate the dynamic class/perm mapping support (< 2.6.33);
on such kernels, one would instead need to add map permission
to the end of each file and socket access vector.

This change also adds map permission to the global macro definitions for
file permissions, thereby allowing it in any allow rule that uses these
macros, and to specific rules allowing mapping of files from /system
and executable types. This should cover most cases where it is needed,
although it may still need to be added to specific allow rules when the
global macros are not used.

Test: Policy builds

Change-Id: Iab3ccd2b6587618e68ecab58218838749fe5e7f5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 private/access_vectors | 2 ++
 public/domain.te       | 2 +-
 public/global_macros   | 6 +++---
 public/te_macros       | 4 ++--
 4 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/private/access_vectors b/private/access_vectors
index ad4624d31..e45d0b2af 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -20,6 +20,7 @@ common file
 	relabelfrom
 	relabelto
 	append
+	map
 	unlink
 	link
 	rename
@@ -46,6 +47,7 @@ common socket
 	relabelfrom
 	relabelto
 	append
+	map
 # socket-specific
 	bind
 	connect
diff --git a/public/domain.te b/public/domain.te
index ed7403bba..5e721438c 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -94,7 +94,7 @@ write_logd(domain)
 
 # System file accesses.
 allow domain system_file:dir { search getattr };
-allow domain system_file:file { execute read open getattr };
+allow domain system_file:file { execute read open getattr map };
 allow domain system_file:lnk_file { getattr read };
 
 # read any sysfs symlinks
diff --git a/public/global_macros b/public/global_macros
index 4ea8dc3ba..bcfb68644 100644
--- a/public/global_macros
+++ b/public/global_macros
@@ -18,9 +18,9 @@ define(`ipc_class_set', `{ sem msgq shm ipc }')
 #####################################
 # Common groupings of permissions.
 #
-define(`x_file_perms', `{ getattr execute execute_no_trans }')
-define(`r_file_perms', `{ getattr open read ioctl lock }')
-define(`w_file_perms', `{ open append write lock }')
+define(`x_file_perms', `{ getattr execute execute_no_trans map }')
+define(`r_file_perms', `{ getattr open read ioctl lock map }')
+define(`w_file_perms', `{ open append write lock map }')
 define(`rx_file_perms', `{ r_file_perms x_file_perms }')
 define(`ra_file_perms', `{ r_file_perms append }')
 define(`rw_file_perms', `{ r_file_perms w_file_perms }')
diff --git a/public/te_macros b/public/te_macros
index ee19b003e..049ac8ed5 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -8,10 +8,10 @@
 #
 define(`domain_trans', `
 # Old domain may exec the file and transition to the new domain.
-allow $1 $2:file { getattr open read execute };
+allow $1 $2:file { getattr open read execute map };
 allow $1 $3:process transition;
 # New domain is entered by executing the file.
-allow $3 $2:file { entrypoint open read execute getattr };
+allow $3 $2:file { entrypoint open read execute getattr map };
 # New domain can send SIGCHLD to its caller.
 ifelse($1, `init', `', `allow $3 $1:process sigchld;')
 # Enable AT_SECURE, i.e. libc secure mode.
-- 
GitLab