From 5cbe41b12ffbcc3b6edde305426d0afc7a7da79c Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Wed, 19 Dec 2018 12:09:42 -0800
Subject: [PATCH] rs.te: Allow following /data/user/0 symlink

The bcc command line uses /data/user/0 paths, so renderscript needs to
be able to follow those symlinks.

Addresses the following denial:

  audit(1545249938.830:2274): avc: denied { read } for comm="bcc" name="0" dev="dm-6" ino=101 scontext=u:r:rs:s0:c184,c256,c512,c768 tcontext=u:object_r:system_data_file:s0 tclass=lnk_file permissive=1 app=android.rscpp.cts

Test: cts-tradefed run cts -m CtsRsCppTestCases
Bug: 121266184
Bug: 112357170
Change-Id: I16210f9b95f386bdee0863cf0044c956af99586d
---
 private/rs.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/private/rs.te b/private/rs.te
index 94cf6b4e8..9229ed949 100644
--- a/private/rs.te
+++ b/private/rs.te
@@ -7,6 +7,9 @@ allow rs app_data_file:dir ra_dir_perms;
 allow rs rs_data_file:file create_file_perms;
 type_transition rs app_data_file:file rs_data_file;
 
+# Follow /data/user/0 symlink
+allow rs system_data_file:lnk_file read;
+
 # Read files from the app home directory.
 allow rs app_data_file:file r_file_perms;
 allow rs app_data_file:dir r_dir_perms;
-- 
GitLab