From 93318192a061e84acd6ff209d4a89bfd876903da Mon Sep 17 00:00:00 2001
From: Tri Vo <trong@google.com>
Date: Sat, 6 Oct 2018 16:16:46 -0700
Subject: [PATCH] asan: global read access to /system/asan.options

Bug: 117178352
Test: no denials to /system/asan.options on asan walleye
Change-Id: I6042693afb926a22a3e2be79bd2a7ba062806143
---
 private/compat/28.0/28.0.cil | 1 +
 private/file_contexts_asan   | 1 +
 public/domain.te             | 2 ++
 public/file.te               | 2 ++
 4 files changed, 6 insertions(+)

diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil
index 6e82651a4..e84c3adbe 100644
--- a/private/compat/28.0/28.0.cil
+++ b/private/compat/28.0/28.0.cil
@@ -1565,6 +1565,7 @@
     system_data_file))
 (typeattributeset system_file_28_0
   ( system_file
+    system_asan_options_file
     system_lib_file
     system_linker_config_file
     system_linker_exec
diff --git a/private/file_contexts_asan b/private/file_contexts_asan
index 17ee9d795..c7d72a480 100644
--- a/private/file_contexts_asan
+++ b/private/file_contexts_asan
@@ -4,6 +4,7 @@
 /data/asan/vendor/lib64(/.*)?              u:object_r:system_file:s0
 /data/asan/odm/lib(/.*)?                   u:object_r:system_file:s0
 /data/asan/odm/lib64(/.*)?                 u:object_r:system_file:s0
+/system/asan.options           u:object_r:system_asan_options_file:s0
 /system/bin/asan_extract       u:object_r:asan_extract_exec:s0
 /system/bin/asanwrapper        u:object_r:asanwrapper_exec:s0
 /system/bin/asan/app_process   u:object_r:zygote_exec:s0
diff --git a/public/domain.te b/public/domain.te
index 176ab480d..16cc09884 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -300,6 +300,8 @@ allow { domain -domain } vndservice_manager_type:service_manager { add find };
 
 # Under ASAN, processes will try to read /data, as the sanitized libraries are there.
 with_asan(`allow domain system_data_file:dir getattr;')
+# Under ASAN, /system/asan.options needs to be globally accessible.
+with_asan(`allow domain system_asan_options_file:file r_file_perms;')
 
 ###
 ### neverallow rules
diff --git a/public/file.te b/public/file.te
index b0e36a628..8e31f2cda 100644
--- a/public/file.te
+++ b/public/file.te
@@ -132,6 +132,8 @@ type unlabeled, file_type;
 
 # Default type for anything under /system.
 type system_file, system_file_type, file_type;
+# Default type for /system/asan.options
+type system_asan_options_file, system_file_type, file_type;
 # Default type for anything under /system/lib[64].
 type system_lib_file, system_file_type, file_type;
 # Default type for linker executable /system/bin/linker[64].
-- 
GitLab