From ef6358bb77384148c08fd7fa6220f5fd6ca85c9c Mon Sep 17 00:00:00 2001
From: Florian Mayer <fmayer@google.com>
Date: Fri, 23 Feb 2018 16:47:38 +0000
Subject: [PATCH] Allow traced_probes to list the system partition

Relevant denies:

[    2.560660] type=1400 audit(1519404055.529:9): avc: denied { read }
for pid=896 comm=traced_probes name=system dev=sda22 ino=17
scontext=u:r:traced_probes:s0 tcontext=u:object_r:system_file:s0
tclass=dir permissive=0

Allowing only read then gives:
[    2.554718] type=1400 audit(1519404863.506:9): avc: denied { open }
for pid=890 comm="traced_probes" path="/system" dev="sda22" ino=17
scontext=u:r:traced_probes:s0 tcontext=u:object_r:system_file:s0
tclass=dir permissive=0

Test: flashed and ran directory listing code.
Bug: 73625480
---
 private/traced_probes.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/private/traced_probes.te b/private/traced_probes.te
index 03ace75bd..22746e76b 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -32,6 +32,9 @@ r_dir_file(traced_probes, domain)
 # Allow to log to kernel dmesg when starting / stopping ftrace.
 allow traced_probes kmsg_device:chr_file write;
 
+# Allow traced_probes to list the system partition.
+allow traced_probes system_file:dir { open read };
+
 ###
 ### Neverallow rules
 ###
-- 
GitLab