Allow profman to resolve symlinks on dirs

When opening the dex files we sometime need to check for the real location of the file (even if it was open via an fd). Denial example: avc: denied { getattr } for comm="profman" path="/data/app" dev="sda13" ino=1048577 scontext=u:r:profman:s0 tcontext=u:object_r:apk_data_file:s0 tclass=dir permissive=0 Test: verify we get no denials when taking a profile snapshot. Bug: 77922323 (cherry picked from commit 9e80bfc8) Change-Id: I934170a67640bb8534c123848468c0861b245eeb

Allow profman to resolve symlinks on dirs
73d8d12c · Calin Juravle · fd87a92a · 73d8d12c
Commit 73d8d12c authored Apr 30, 2018 by Calin Juravle
--- a/public/profman.te
+++ b/public/profman.te
@@ -6,7 +6,9 @@ allow profman user_profile_data_file:file { getattr read write lock };

 # Dumping profile info opens the application APK file for pretty printing.
 allow profman asec_apk_file:file { read };
-allow profman apk_data_file:file { read };
+allow profman apk_data_file:file { getattr read };
+allow profman apk_data_file:dir { getattr read search };
+
 allow profman oemfs:file { read };
 # Reading an APK opens a ZipArchive, which unpack to tmpfs.
 allow profman tmpfs:file { read };
@@ -18,6 +20,7 @@ allow profman installd:fd use;
 # are application dex files reported back to the framework when using
 # BaseDexClassLoader.
 allow profman app_data_file:file { getattr read write lock };
+allow profman app_data_file:dir { getattr read search };

 ###
 ### neverallow rules