From cee6a0e748d39a5d94ab56c20ffb6669423696fc Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Wed, 27 Jan 2016 10:54:16 -0800
Subject: [PATCH] zygote: grant perms from domain_deprecated

In preparation of removing permissions from domain_deprecated.

Addresses:
avc: denied { read } for name="ipv6_route" dev="proc" ino=4026536875 scontext=u:r:zygote:s0 tcontext=u:object_r:proc_net:s0 tclass=file
avc: denied { open } for path="/proc/220/net/ipv6_route" dev="proc" ino=4026536875 scontext=u:r:zygote:s0 tcontext=u:object_r:proc_net:s0 tclass=file
avc: denied { getattr } for path="/proc/220/net/ipv6_route" dev="proc" ino=4026536875 scontext=u:r:zygote:s0 tcontext=u:object_r:proc_net:s0 tclass=file

Change-Id: Ie94d3db3c5dccb8077ef5da26221a6413f5d19c2
---
 zygote.te | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/zygote.te b/zygote.te
index 30ac4edc9..421a54b84 100644
--- a/zygote.te
+++ b/zygote.te
@@ -64,6 +64,16 @@ allow zygote storage_file:dir { search mounton };
 # Handle --invoke-with command when launching Zygote with a wrapper command.
 allow zygote zygote_exec:file rx_file_perms;
 
+# Read access to pseudo filesystems.
+r_dir_file(zygote, proc_net)
+
+# Root fs.
+allow zygote rootfs:file r_file_perms;
+
+# System file accesses.
+allow zygote system_file:dir r_dir_perms;
+allow zygote system_file:file r_file_perms;
+
 userdebug_or_eng(`
   # Allow zygote to create and write method traces in /data/misc/trace.
   allow zygote method_trace_data_file:dir w_dir_perms;