From 364fd197826ed5e635da4eb130d2e34576ea4ef3 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Tue, 8 Nov 2016 09:08:55 -0800
Subject: [PATCH] profman/debuggerd: allow libart_file:file r_file_perms

Addresses the following auditallow spam:

avc: granted { read open } for comm="profman"
path="/system/lib/libart.so" dev="dm-0" ino=1368 scontext=u:r:profman:s0
tcontext=u:object_r:libart_file:s0 tclass=file

avc: granted { read open } for comm="debuggerd64"
path="/system/lib64/libart.so" dev="dm-0" ino=1897
scontext=u:r:debuggerd:s0 tcontext=u:object_r:libart_file:s0 tclass=file

avc: granted { getattr } for comm="debuggerd64"
path="/system/lib64/libart.so" dev="dm-0" ino=1837
scontext=u:r:debuggerd:s0 tcontext=u:object_r:libart_file:s0 tclass=file

Test: Policy compiles. Not a tightening of rules.
Change-Id: I501b0a6a343c61b3ca6283647a18a9a15deddf2a
---
 public/debuggerd.te | 2 +-
 public/domain.te    | 2 ++
 public/profman.te   | 6 ++++++
 3 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/public/debuggerd.te b/public/debuggerd.te
index da1314a04..33f88784f 100644
--- a/public/debuggerd.te
+++ b/public/debuggerd.te
@@ -23,7 +23,7 @@ allow debuggerd tombstone_data_file:file create_file_perms;
 allow debuggerd shared_relro_file:dir r_dir_perms;
 allow debuggerd shared_relro_file:file r_file_perms;
 allow debuggerd domain:process { sigstop sigkill signal };
-allow debuggerd exec_type:file r_file_perms;
+allow debuggerd { exec_type libart_file }:file r_file_perms;
 # Access app library
 allow debuggerd system_data_file:file open;
 # Allow debuggerd to redirect a dump_backtrace request to itself.
diff --git a/public/domain.te b/public/domain.te
index 68e81ed7d..88abff397 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -107,8 +107,10 @@ allow domain libart_file:file { execute read open getattr };
 auditallow {
   domain
   -appdomain
+  -debuggerd
   -dex2oat
   -dumpstate
+  -profman
   -recovery
   -zygote
 } libart_file:file { execute read open getattr };
diff --git a/public/profman.te b/public/profman.te
index fa3df94a6..6afd417f9 100644
--- a/public/profman.te
+++ b/public/profman.te
@@ -2,6 +2,8 @@
 type profman, domain;
 type profman_exec, exec_type, file_type;
 
+allow profman libart_file:file r_file_perms;
+
 allow profman user_profile_data_file:file { getattr read write lock };
 
 # Dumping profile info opens the application APK file for pretty printing.
@@ -14,4 +16,8 @@ allow profman profman_dump_data_file:file { write };
 
 allow profman installd:fd use;
 
+###
+### neverallow rules
+###
+
 neverallow profman app_data_file:notdevfile_class_set open;
-- 
GitLab