From 3bfdc6b420bc2fa60a7e8830789fec9820ecbb4d Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Mon, 10 Mar 2014 10:31:09 -0400
Subject: [PATCH] Allow stat of /system/bin/app_process by zygote.

This resolves denials such as:
type=1400 audit(7803852.559:251): avc:  denied  { getattr } for  pid=5702 comm="main" path="/system/bin/app_process" dev="mmcblk0p25" ino=60 scontext=u:r:zygote:s0 tcontext=u:object_r:zygote_exec:s0 tclass=file

(triggered on an art crash seen in recent AOSP master)

Rather than just adding this permission individually, just rewrite
the existing rule to use the rx_file_perms macro.
We already allowed most of these permissions by way of the
domain_auto_trans() rule via init_daemon_domain() and the rule
for the --invoke-with support.  Using macros helps reduce
policy fragility/brittleness.

Change-Id: Ib7edc17469c47bde9edd89f0e6cf5cd7f90fdb76
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 zygote.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/zygote.te b/zygote.te
index c20072de6..345b63004 100644
--- a/zygote.te
+++ b/zygote.te
@@ -45,7 +45,7 @@ allow zygote tmpfs:filesystem mount;
 allow zygote labeledfs:filesystem remount;
 
 # Handle --invoke-with command when launching Zygote with a wrapper command.
-allow zygote zygote_exec:file { execute_no_trans open };
+allow zygote zygote_exec:file rx_file_perms;
 
 # handle bugreports b/10498304
 allow zygote ashmem_device:chr_file execute;
-- 
GitLab