Selinux: Give runas permission to read system_data_file links

Run-as is running a command under an app's uid and in its data directory. That data directory may be accessed through a symlink from /data/user. So give runas rights to read such a symlink. Bug: 66292688 Test: manual Test: CTS JVMTI tests Change-Id: I0e0a40d11bc00d3ec1eee561b6223732a0d2eeb6

Selinux: Give runas permission to read system_data_file links
4481b885 · Andreas Gampe · 3b24ce50 · 4481b885
Commit 4481b885 authored 7 years ago by Andreas Gampe
--- a/public/runas.te
+++ b/public/runas.te
@@ -14,6 +14,9 @@ allow runas shell_data_file:file { read write };
 allow runas system_data_file:file r_file_perms;
 allow runas system_data_file:lnk_file getattr;

+# The app's data dir may be accessed through a symlink.
+allow runas system_data_file:lnk_file read;
+
 # run-as checks and changes to the app data dir.
 dontaudit runas self:capability dac_override;
 allow runas app_data_file:dir { getattr search };