Allow domains to read tmpfs symlinks.

Domains have the ability to read normal tmpfs files but not symlinks. Grant this ability. In particular, allow domains to read /mnt/sdcard. Addresses the following denial: type=1400 audit(0.0:19):avc: denied { read } for comm=4173796E635461736B202333 name="sdcard" dev="tmpfs" ino=7475 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:tmpfs:s0 tclass=lnk_file permissive=0 (cherry-pick of commit: 2b0b8299) Bug: 20755029 Change-Id: Iaa5dc278b34faf33473d3e49f92d8766ae5563c0

Allow domains to read tmpfs symlinks.
Domains have the ability to read normal tmpfs files but not symlinks. Grant this ability. In particular, allow domains to read /mnt/sdcard. Addresses the following denial: type=1400 audit(0.0:19):avc: denied { read } for comm=4173796E635461736B202333 name="sdcard" dev="tmpfs" ino=7475 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:tmpfs:s0 tclass=lnk_file permissive=0 (cherry-pick of commit: 2b0b8299) Bug: 20755029 Change-Id: Iaa5dc278b34faf33473d3e49f92d8766ae5563c0
301555e6 · dcashman · 099d6329 · 301555e6
Commit 301555e6 authored 9 years ago by dcashman
--- a/domain.te
+++ b/domain.te
@@ -6,6 +6,7 @@ allow domain init:process sigchld;
 # Read access to properties mapping.
 allow domain kernel:fd use;
 allow domain tmpfs:file { read getattr };
+allow domain tmpfs:lnk_file { read getattr };

 # Search /storage/emulated tmpfs mount.
 allow domain tmpfs:dir r_dir_perms;