Allow domain to getattr on apex_mnt_dir

The dynamic linker calls realpath(3) on paths found in the linker config script. Since realpath() calls lstat() on the parent paths, not allowing getattr on /apex and its subdirectories will cause selinux denial spam whenever something is executed from APEXes. Silence the spam by allowing getattr on apex_mnt_dir. Bug: 117403679 Bug: 115787633 Test: m apex.test; m; device is bootable Change-Id: Ic659582760a3ae146e73770266bc64332b36a97c

Allow domain to getattr on apex_mnt_dir
The dynamic linker calls realpath(3) on paths found in the linker config script. Since realpath() calls lstat() on the parent paths, not allowing getattr on /apex and its subdirectories will cause selinux denial spam whenever something is executed from APEXes. Silence the spam by allowing getattr on apex_mnt_dir. Bug: 117403679 Bug: 115787633 Test: m apex.test; m; device is bootable Change-Id: Ic659582760a3ae146e73770266bc64332b36a97c
b1feedc2 · Jiyong Park · b16dcf5f · b1feedc2
Commit b1feedc2 authored 6 years ago by Jiyong Park
--- a/public/domain.te
+++ b/public/domain.te
@@ -328,7 +328,7 @@ with_asan(`allow domain system_data_file:dir getattr;')
 with_asan(`allow domain system_asan_options_file:file r_file_perms;')

 # read APEX dir and stat any symlink pointing to APEXs.
-allow domain apex_mnt_dir:dir search;
+allow domain apex_mnt_dir:dir { getattr search };
 allow domain apex_mnt_dir:lnk_file r_file_perms;

 ###