From dd8571aa24b40add3ae78063228e61c3d1682020 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Fri, 7 Nov 2014 16:21:42 -0800
Subject: [PATCH] allow run-as to access /data/local/tmp

Otherwise denials like the following occur:

avc: denied { write } for path="/data/local/tmp/foo" dev="dm-0" ino=325769 scontext=u:r:runas:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file
avc: denied { read } for path="/data/local/tmp/foo" dev="dm-0" ino=325769 scontext=u:r:runas:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file

Steps to reproduce:

$ run-as com.google.android.talk id > /data/local/tmp/id.out
$ run-as com.google.android.talk cat < /data/local/tmp/id.out

Change-Id: I68a7b804336a3d5776dcc31622f1279380282030
---
 runas.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/runas.te b/runas.te
index 1ce8e64ea..97f31f728 100644
--- a/runas.te
+++ b/runas.te
@@ -7,6 +7,7 @@ allow runas adbd:process sigchld;
 allow runas shell:fd use;
 allow runas shell:fifo_file { read write };
 allow runas devpts:chr_file { read write ioctl };
+allow runas shell_data_file:file { read write };
 
 # run-as reads package information.
 allow runas system_data_file:file r_file_perms;
-- 
GitLab