From 05d83dd407f0dbad6e6ce39cf88b03ea75f0f9b3 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Fri, 3 Mar 2017 09:52:16 -0800
Subject: [PATCH] domain: Allow stat on symlinks in vendor

Addresses:
denied { getattr } for pid=155 comm="keystore" path="/vendor"
dev="mmcblk0p6" ino=1527 scontext=u:r:keystore:s0
tcontext=u:object_r:system_file:s0 tclass=lnk_file

On devices without an actual vendor image, /vendor is a symlink to
/system/vendor. When loading a library from this symlinked vendor,
the linker uses resolve_paths() resulting in an lstat(). This
generates an selinux denial. Allow this lstat() so that paths can
be resolved on devices without a real vendor image.

Bug: 35946056
Test: sailfish builds
Change-Id: Ifae11bc7039047e2ac2b7eb4fbcce8ac4580799f
---
 public/domain.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/public/domain.te b/public/domain.te
index 10e62b82a..b8004ac94 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -92,7 +92,7 @@ write_logd(domain)
 # System file accesses.
 allow domain system_file:dir { search getattr };
 allow domain system_file:file { execute read open getattr };
-allow domain system_file:lnk_file read;
+allow domain system_file:lnk_file { getattr read };
 
 # read any sysfs symlinks
 allow domain sysfs:lnk_file read;
-- 
GitLab