Merge "sepolicy: Define and allow map permission"

private/access_vectors

@@ -20,6 +20,7 @@ common file
 	relabelfrom
 	relabelto
 	append
+	map
 	unlink
 	link
 	rename
@@ -46,6 +47,7 @@ common socket
 	relabelfrom
 	relabelto
 	append
+	map
 # socket-specific
 	bind
 	connect

public/domain.te

@@ -94,7 +94,7 @@ write_logd(domain)
 
 # System file accesses.
 allow domain system_file:dir { search getattr };
-allow domain system_file:file { execute read open getattr };
+allow domain system_file:file { execute read open getattr map };
 allow domain system_file:lnk_file { getattr read };
 
 # read any sysfs symlinks

public/global_macros

@@ -18,9 +18,9 @@ define(`ipc_class_set', `{ sem msgq shm ipc }')
 #####################################
 # Common groupings of permissions.
 #
-define(`x_file_perms', `{ getattr execute execute_no_trans }')
-define(`r_file_perms', `{ getattr open read ioctl lock }')
-define(`w_file_perms', `{ open append write lock }')
+define(`x_file_perms', `{ getattr execute execute_no_trans map }')
+define(`r_file_perms', `{ getattr open read ioctl lock map }')
+define(`w_file_perms', `{ open append write lock map }')
 define(`rx_file_perms', `{ r_file_perms x_file_perms }')
 define(`ra_file_perms', `{ r_file_perms append }')
 define(`rw_file_perms', `{ r_file_perms w_file_perms }')

public/te_macros

@@ -8,10 +8,10 @@
 #
 define(`domain_trans', `
 # Old domain may exec the file and transition to the new domain.
-allow $1 $2:file { getattr open read execute };
+allow $1 $2:file { getattr open read execute map };
 allow $1 $3:process transition;
 # New domain is entered by executing the file.
-allow $3 $2:file { entrypoint open read execute getattr };
+allow $3 $2:file { entrypoint open read execute getattr map };
 # New domain can send SIGCHLD to its caller.
 ifelse($1, `init', `', `allow $3 $1:process sigchld;')
 # Enable AT_SECURE, i.e. libc secure mode.