From 21cb045bd5f8715cdad13bc4f242b0e2028bc56d Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Mon, 23 Jan 2017 22:19:06 -0800
Subject: [PATCH] priv_app: allow reading /cache symlink

Addresses the following denial:

  avc: denied { read } for name="cache" dev="dm-0" ino=2755
  scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:cache_file:s0
  tclass=lnk_file permissive=0

which occurs when a priv-app attempts to follow the /cache symlink. This
symlink occurs on devices which don't have a /cache partition, but
rather symlink /cache to /data/cache.

Bug: 34644911
Test: Policy compiles.
Change-Id: I9e052aeb0c98bac74fa9225b9253b1537ffa5adc
---
 private/priv_app.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/private/priv_app.te b/private/priv_app.te
index dc1690c46..95ef3e82b 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -38,6 +38,8 @@ allow priv_app recovery_service:service_manager find;
 # Write to /cache.
 allow priv_app { cache_file cache_recovery_file }:dir create_dir_perms;
 allow priv_app { cache_file cache_recovery_file }:file create_file_perms;
+# /cache is a symlink to /data/cache on some devices. Allow reading the link.
+allow priv_app cache_file:lnk_file r_file_perms;
 
 # Write to /data/ota_package for OTA packages.
 allow priv_app ota_package_file:dir rw_dir_perms;
-- 
GitLab