From 3cc71b09d660636fde297cd400d27450a623c62c Mon Sep 17 00:00:00 2001
From: Andreas Gampe <agampe@google.com>
Date: Fri, 17 Mar 2017 10:08:52 -0700
Subject: [PATCH] Sepolicy: Allow postinstall to read links

Certain libraries may actually be links. Allow OTA dexopt to read
those links.

Bug: 25612095
Test: m
Change-Id: Iafdb899a750bd8d1ab56e5f6dbc09d836d5440ed
---
 public/dex2oat.te            | 1 +
 public/postinstall_dexopt.te | 1 +
 2 files changed, 2 insertions(+)

diff --git a/public/dex2oat.te b/public/dex2oat.te
index 72b04a107..6421d930c 100644
--- a/public/dex2oat.te
+++ b/public/dex2oat.te
@@ -34,6 +34,7 @@ allow dex2oat app_data_file:file { getattr read write lock };
 allow dex2oat postinstall_dexopt:fd use;
 
 allow dex2oat postinstall_file:dir { getattr search };
+allow dex2oat postinstall_file:lnk_file read;
 
 # Allow dex2oat access to files in /data/ota.
 allow dex2oat ota_data_file:dir ra_dir_perms;
diff --git a/public/postinstall_dexopt.te b/public/postinstall_dexopt.te
index 5fdc51031..76001f7bb 100644
--- a/public/postinstall_dexopt.te
+++ b/public/postinstall_dexopt.te
@@ -8,6 +8,7 @@ type postinstall_dexopt, domain;
 allow postinstall_dexopt self:capability { chown dac_override fowner setgid setuid };
 
 allow postinstall_dexopt postinstall_file:dir { getattr search };
+allow postinstall_dexopt postinstall_file:lnk_file read;
 allow postinstall_dexopt proc:file { getattr open read };
 allow postinstall_dexopt tmpfs:file read;
 
-- 
GitLab