Skip to content
Snippets Groups Projects
Commit 05d83dd4 authored by Jeff Vander Stoep's avatar Jeff Vander Stoep
Browse files

domain: Allow stat on symlinks in vendor 

Addresses:
denied { getattr } for pid=155 comm="keystore" path="/vendor"
dev="mmcblk0p6" ino=1527 scontext=u:r:keystore:s0
tcontext=u:object_r:system_file:s0 tclass=lnk_file

On devices without an actual vendor image, /vendor is a symlink to
/system/vendor. When loading a library from this symlinked vendor,
the linker uses resolve_paths() resulting in an lstat(). This
generates an selinux denial. Allow this lstat() so that paths can
be resolved on devices without a real vendor image.

Bug: 35946056
Test: sailfish builds
Change-Id: Ifae11bc7039047e2ac2b7eb4fbcce8ac4580799f
parent 34ab219f
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 1 addition and 1 deletion
public/domain.te
+ 1
1
View file @ 05d83dd4
...@@ -92,7 +92,7 @@ write_logd(domain) ...@@ -92,7 +92,7 @@ write_logd(domain)
# System file accesses. # System file accesses.
allow domain system_file:dir { search getattr }; allow domain system_file:dir { search getattr };
allow domain system_file:file { execute read open getattr }; allow domain system_file:file { execute read open getattr };
allow domain system_file:lnk_file read; allow domain system_file:lnk_file { getattr read };
# read any sysfs symlinks # read any sysfs symlinks
allow domain sysfs:lnk_file read; allow domain sysfs:lnk_file read;
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment