Allow profman to resolve symlinks on dirs

When opening the dex files we sometime need to check for the real location of the file (even if it was open via an fd). Denial example: avc: denied { getattr } for comm="profman" path="/data/app" dev="sda13" ino=1048577 scontext=u:r:profman:s0 tcontext=u:object_r:apk_data_file:s0 tclass=dir permissive=0 Test: verify we get no denials when taking a profile snapshot. Bug: 77922323 Change-Id: Ifa5570656c644819d14f46af74e4c15e903a8a54

Allow profman to resolve symlinks on dirs
When opening the dex files we sometime need to check for the real location of the file (even if it was open via an fd). Denial example: avc: denied { getattr } for comm="profman" path="/data/app" dev="sda13" ino=1048577 scontext=u:r:profman:s0 tcontext=u:object_r:apk_data_file:s0 tclass=dir permissive=0 Test: verify we get no denials when taking a profile snapshot. Bug: 77922323 Change-Id: Ifa5570656c644819d14f46af74e4c15e903a8a54
9e80bfc8 · Calin Juravle · 26ee5a85 · 9e80bfc8
Commit 9e80bfc8 authored 6 years ago by Calin Juravle
--- a/public/profman.te
+++ b/public/profman.te
@@ -6,7 +6,9 @@ allow profman user_profile_data_file:file { getattr read write lock };
 # Dumping profile info opens the application APK file for pretty printing.
 allow profman asec_apk_file:file { read };
-allow profman apk_data_file:file { read };
+allow profman apk_data_file:file { getattr read };
+allow profman apk_data_file:dir { getattr read search };
 allow profman oemfs:file { read };
 # Reading an APK opens a ZipArchive, which unpack to tmpfs.
 allow profman tmpfs:file { read };
@@ -18,6 +20,7 @@ allow profman installd:fd use;
 # are application dex files reported back to the framework when using
 # BaseDexClassLoader.
 allow profman app_data_file:file { getattr read write lock };
+allow profman app_data_file:dir { getattr read search };
 ###
 ### neverallow rules