asan: global read access to /system/asan.options

Bug: 117178352
Test: no denials to /system/asan.options on asan walleye
Change-Id: I6042693afb926a22a3e2be79bd2a7ba062806143

private/compat/28.0/28.0.cil

@@ -1565,6 +1565,7 @@
     system_data_file))
 (typeattributeset system_file_28_0
   ( system_file
+    system_asan_options_file
     system_lib_file
     system_linker_config_file
     system_linker_exec

private/file_contexts_asan

@@ -4,6 +4,7 @@
 /data/asan/vendor/lib64(/.*)?              u:object_r:system_file:s0
 /data/asan/odm/lib(/.*)?                   u:object_r:system_file:s0
 /data/asan/odm/lib64(/.*)?                 u:object_r:system_file:s0
+/system/asan.options           u:object_r:system_asan_options_file:s0
 /system/bin/asan_extract       u:object_r:asan_extract_exec:s0
 /system/bin/asanwrapper        u:object_r:asanwrapper_exec:s0
 /system/bin/asan/app_process   u:object_r:zygote_exec:s0

public/domain.te

@@ -300,6 +300,8 @@ allow { domain -domain } vndservice_manager_type:service_manager { add find };
 
 # Under ASAN, processes will try to read /data, as the sanitized libraries are there.
 with_asan(`allow domain system_data_file:dir getattr;')
+# Under ASAN, /system/asan.options needs to be globally accessible.
+with_asan(`allow domain system_asan_options_file:file r_file_perms;')
 
 ###
 ### neverallow rules

public/file.te

@@ -132,6 +132,8 @@ type unlabeled, file_type;
 
 # Default type for anything under /system.
 type system_file, system_file_type, file_type;
+# Default type for /system/asan.options
+type system_asan_options_file, system_file_type, file_type;
 # Default type for anything under /system/lib[64].
 type system_lib_file, system_file_type, file_type;
 # Default type for linker executable /system/bin/linker[64].