Selinux: Give runas permission to read system_data_file links

Run-as is running a command under an app's uid and in its data directory. That data directory may be accessed through a symlink from /data/user. So give runas rights to read such a symlink. Bug: 66292688 Test: manual Test: CTS JVMTI tests Change-Id: I0e0a40d11bc00d3ec1eee561b6223732a0d2eeb6
2017-09-20 21:34:55 -07:00 · 2017-09-20 21:34:55 -07:00 · 4481b885c9
commit 4481b885c9
parent 3b24ce5090
1 changed files with 3 additions and 0 deletions
--- a/public/runas.te
+++ b/public/runas.te
@ -14,6 +14,9 @@ allow runas shell_data_file:file { read write };
 allow runas system_data_file:file r_file_perms;
 allow runas system_data_file:lnk_file getattr;

+# The app's data dir may be accessed through a symlink.
+allow runas system_data_file:lnk_file read;
+
 # run-as checks and changes to the app data dir.
 dontaudit runas self:capability dac_override;
 allow runas app_data_file:dir { getattr search };