From 4481b885c945826d0c9ac0c608ae45ca385996ec Mon Sep 17 00:00:00 2001
From: Andreas Gampe <agampe@google.com>
Date: Wed, 20 Sep 2017 21:34:55 -0700
Subject: [PATCH] Selinux: Give runas permission to read system_data_file links

Run-as is running a command under an app's uid and in its data
directory. That data directory may be accessed through a symlink
from /data/user. So give runas rights to read such a symlink.

Bug: 66292688
Test: manual
Test: CTS JVMTI tests
Change-Id: I0e0a40d11bc00d3ec1eee561b6223732a0d2eeb6
---
 public/runas.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/public/runas.te b/public/runas.te
index b8092ae6f..ca6f4f696 100644
--- a/public/runas.te
+++ b/public/runas.te
@@ -14,6 +14,9 @@ allow runas shell_data_file:file { read write };
 allow runas system_data_file:file r_file_perms;
 allow runas system_data_file:lnk_file getattr;
 
+# The app's data dir may be accessed through a symlink.
+allow runas system_data_file:lnk_file read;
+
 # run-as checks and changes to the app data dir.
 dontaudit runas self:capability dac_override;
 allow runas app_data_file:dir { getattr search };
-- 
GitLab