Allow app_zygote to read zygote_tmpfs. app_zygote inherits tmpfs files from zygote, and needs to be able to stat them after fork. Bug: 192634726 Bug: 192572973 Bug: 119800099 Test: forrest Ignore-AOSP-First: cherry pick of https://r.android.com/1753279 Change-Id: I6ddf433dbbf4a894fcb6d35c0cb723444d360e47

commit: 67db7e2d88ec5c635a1b3a962e722008ca9c13ef [log] [tgz]
author: Martijn Coenen <maco@google.com> Thu Jul 01 22:07:32 2021 +0200
committer: Orion Hodson <oth@google.com> Mon Jul 05 13:54:28 2021 +0000
tree: 249320747caf08b3f9611ec8513db3f29c028aa8
parent: ae1b59975adba9a79eeb1f23a8f80d109e013d11 [diff]
diff --git a/prebuilts/api/31.0/private/app_zygote.te b/prebuilts/api/31.0/private/app_zygote.te
index 4ee3af7..4caa387 100644
--- a/prebuilts/api/31.0/private/app_zygote.te
+++ b/prebuilts/api/31.0/private/app_zygote.te

@@ -41,6 +41,9 @@
 # Check SELinux permissions.
 selinux_check_access(app_zygote)
 
+# Read and inspect temporary files managed by zygote.
+allow app_zygote zygote_tmpfs:file { read getattr };
+
 ######
 ###### Policy below is shared with regular zygote-spawned apps
 ######

diff --git a/private/app_zygote.te b/private/app_zygote.te
index 4ee3af7..4caa387 100644
--- a/private/app_zygote.te
+++ b/private/app_zygote.te

@@ -41,6 +41,9 @@
 # Check SELinux permissions.
 selinux_check_access(app_zygote)
 
+# Read and inspect temporary files managed by zygote.
+allow app_zygote zygote_tmpfs:file { read getattr };
+
 ######
 ###### Policy below is shared with regular zygote-spawned apps
 ######
commit	67db7e2d88ec5c635a1b3a962e722008ca9c13ef	[log] [tgz]
author	Martijn Coenen <maco@google.com>	Thu Jul 01 22:07:32 2021 +0200
committer	Orion Hodson <oth@google.com>	Mon Jul 05 13:54:28 2021 +0000
tree	249320747caf08b3f9611ec8513db3f29c028aa8
parent	ae1b59975adba9a79eeb1f23a8f80d109e013d11 [diff]