Allow adbd to read file_contexts Denials for this can cause local test failures. The access is harmless, and is allowed in the host, so we also allow it in the guest. And adbd does have a legitimate use for the access. Bug: 328753027 Test: atest MicrodroidHostTests Run repeatedly on my test device Change-Id: Ic2e991122527ae9a22babb417ad90f2ceb8d15fc

commit: 55ae799b21ec591d478c5dd5a1cd303ff5ed7866 [log] [tgz]
author: Alan Stokes <alanstokes@google.com> Fri Mar 08 16:47:06 2024 +0000
committer: Alan Stokes <alanstokes@google.com> Fri Mar 08 16:47:06 2024 +0000
tree: 1be31f5c6d90a0b12fe7bfb87d3c79f677b6fa45
parent: 489766292a74127e8541fa1ad21ff41188d6834a [diff]
diff --git a/microdroid/system/private/adbd.te b/microdroid/system/private/adbd.te
index 9a50f67..519b9dd 100644
--- a/microdroid/system/private/adbd.te
+++ b/microdroid/system/private/adbd.te

@@ -54,6 +54,9 @@
 allow adbd selinuxfs:file r_file_perms;
 allow adbd kernel:security read_policy;
 
+# adbd may try to restorecon files (see b/328753027)
+allow adbd file_contexts_file:file r_file_perms;
+
 # adbd tries to run mdnsd, but mdnsd doesn't exist. Just dontaudit ctl permissions.
 # TODO(b/200902288): patch adb and remove this rule
 dontaudit adbd { ctl_default_prop ctl_start_prop }:property_service set;
commit	55ae799b21ec591d478c5dd5a1cd303ff5ed7866	[log] [tgz]
author	Alan Stokes <alanstokes@google.com>	Fri Mar 08 16:47:06 2024 +0000
committer	Alan Stokes <alanstokes@google.com>	Fri Mar 08 16:47:06 2024 +0000
tree	1be31f5c6d90a0b12fe7bfb87d3c79f677b6fa45
parent	489766292a74127e8541fa1ad21ff41188d6834a [diff]