From 4fce0ef97c2a4cb6e0ce2adf17c012c8be6252bf Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Thu, 22 May 2014 15:00:25 -0700
Subject: [PATCH] Fix use of valgrind via app wrapping

On userdebug / eng builds, Android supports the concept of app wrapping.
You can run an app wrapped by another process. This is traditionally used
to run valgrind on apps, looking for memory leaks and other problems.

App wrapping is enabled by running the following command:

  adb shell setprop wrap.com.android.foo "TMPDIR=/data/data/com.android.foo logwrapper valgrind"

Valgrind attempts to mmap exec /system/bin/app_process, which is being denied
by SELinux. Allow app_process exec.

Addresses the following denial:

  <4>[   82.643790] type=1400 audit(16301075.079:26): avc:  denied  { execute } for  pid=1519 comm="memcheck-arm-li" path="/system/bin/app_process32" dev="mmcblk0p25" ino=61 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:zygote_exec:s0 tclass=file

Bug: 15146424

Change-Id: I65394938c53da9252ea57856d9f2de465bb30c25
---
 app.te | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/app.te b/app.te
index 361530624..7e53724b9 100644
--- a/app.te
+++ b/app.te
@@ -15,7 +15,8 @@ allow appdomain ashmem_device:chr_file execute;
 allow appdomain zygote:fd use;
 
 # gdbserver for ndk-gdb reads the zygote.
-allow appdomain zygote_exec:file r_file_perms;
+# valgrind needs mmap exec for zygote
+allow appdomain zygote_exec:file rx_file_perms;
 
 # gdbserver for ndk-gdb ptrace attaches to app process.
 allow appdomain self:process ptrace;
-- 
GitLab