From b1feedc2b17898c2c7395d4248f97f365247417c Mon Sep 17 00:00:00 2001
From: Jiyong Park <jiyong@google.com>
Date: Fri, 16 Nov 2018 18:10:50 +0900
Subject: [PATCH] Allow domain to getattr on apex_mnt_dir

The dynamic linker calls realpath(3) on paths found in the linker config
script. Since realpath() calls lstat() on the parent paths, not allowing
getattr on /apex and its subdirectories will cause selinux denial spam
whenever something is executed from APEXes.

Silence the spam by allowing getattr on apex_mnt_dir.

Bug: 117403679
Bug: 115787633
Test: m apex.test; m; device is bootable

Change-Id: Ic659582760a3ae146e73770266bc64332b36a97c
---
 public/domain.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/public/domain.te b/public/domain.te
index 20ae4a9f1..b788f0d72 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -328,7 +328,7 @@ with_asan(`allow domain system_data_file:dir getattr;')
 with_asan(`allow domain system_asan_options_file:file r_file_perms;')
 
 # read APEX dir and stat any symlink pointing to APEXs.
-allow domain apex_mnt_dir:dir search;
+allow domain apex_mnt_dir:dir { getattr search };
 allow domain apex_mnt_dir:lnk_file r_file_perms;
 
 ###
-- 
GitLab