From 9e80bfc8808b4267327f4aebf030540413d7930d Mon Sep 17 00:00:00 2001
From: Calin Juravle <calin@google.com>
Date: Mon, 30 Apr 2018 14:20:34 -0700
Subject: [PATCH] Allow profman to resolve symlinks on dirs

When opening the dex files we sometime need to check for the real location
of the file (even if it was open via an fd).

Denial example:

avc: denied { getattr } for comm="profman" path="/data/app" dev="sda13"
ino=1048577 scontext=u:r:profman:s0 tcontext=u:object_r:apk_data_file:s0
tclass=dir permissive=0

Test: verify we get no denials when taking a profile snapshot.
Bug: 77922323
Change-Id: Ifa5570656c644819d14f46af74e4c15e903a8a54
---
 public/profman.te | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/public/profman.te b/public/profman.te
index a5c18b51d..4296d1b17 100644
--- a/public/profman.te
+++ b/public/profman.te
@@ -6,7 +6,9 @@ allow profman user_profile_data_file:file { getattr read write lock };
 
 # Dumping profile info opens the application APK file for pretty printing.
 allow profman asec_apk_file:file { read };
-allow profman apk_data_file:file { read };
+allow profman apk_data_file:file { getattr read };
+allow profman apk_data_file:dir { getattr read search };
+
 allow profman oemfs:file { read };
 # Reading an APK opens a ZipArchive, which unpack to tmpfs.
 allow profman tmpfs:file { read };
@@ -18,6 +20,7 @@ allow profman installd:fd use;
 # are application dex files reported back to the framework when using
 # BaseDexClassLoader.
 allow profman app_data_file:file { getattr read write lock };
+allow profman app_data_file:dir { getattr read search };
 
 ###
 ### neverallow rules
-- 
GitLab