From 81560733a47633036133ce548bf638bc3d91f5cf Mon Sep 17 00:00:00 2001
From: Geremy Condra <gcondra@google.com>
Date: Fri, 30 Aug 2013 13:02:30 -0700
Subject: [PATCH] Fix denials encountered while getting bugreports.

Bug: 10498304
Change-Id: I312665a2cd09fa16ae3f3978aebdb0da99cf1f74
---
 app.te    | 4 ++--
 domain.te | 2 +-
 zygote.te | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/app.te b/app.te
index d90185c39..aaf811a68 100644
--- a/app.te
+++ b/app.te
@@ -76,8 +76,8 @@ allow appdomain isolated_app:unix_stream_socket { read write };
 
 # Backup ability for every app. BMS opens and passes the fd
 # to any app that has backup ability. Hence, no open permissions here.
-allow appdomain backup_data_file:file { read write };
-allow appdomain  cache_backup_file:file { read write };
+allow appdomain backup_data_file:file { read write getattr };
+allow appdomain cache_backup_file:file { read write getattr };
 # Backup ability using 'adb backup'
 allow appdomain system_data_file:lnk_file getattr;
 
diff --git a/domain.te b/domain.te
index 291c56246..f4fd6ae4f 100644
--- a/domain.te
+++ b/domain.te
@@ -81,7 +81,7 @@ allow domain system_data_file:file { getattr read };
 allow domain system_data_file:lnk_file read;
 
 # Read apk files under /data/app.
-allow domain apk_data_file:dir search;
+allow domain apk_data_file:dir { getattr search };
 allow domain apk_data_file:file r_file_perms;
 
 # Read /data/dalvik-cache.
diff --git a/zygote.te b/zygote.te
index 9a5bc4b67..0fb384214 100644
--- a/zygote.te
+++ b/zygote.te
@@ -12,7 +12,7 @@ allow zygote self:capability setpcap;
 allow zygote system:process dyntransition;
 allow zygote appdomain:process dyntransition;
 # Allow zygote to read app data dirs (b/10455872)
-allow zygote appdomain:dir search;
+allow zygote appdomain:dir { getattr search };
 allow zygote appdomain:file { r_file_perms };
 # Move children into the peer process group.
 allow zygote system:process { getpgid setpgid };
-- 
GitLab