Allow artd to read symlinks for secondary dex files. Otherwise, we will encounter SELinux denials like: W binder:6200_7: type=1400 audit(0.0:327): avc: denied { read } for name="PrebuiltGmsCoreNext_DynamiteLoader.apk" dev="dm-51" ino=2576 scontext=u:r:artd:s0 tcontext=u:object_r:privapp_data_file:s0:c512,c768 tclass=lnk_file permissive=0 Bug: 262230400 Test: No longer see such SELinux denials. Change-Id: Iccb97b1973f8efbe859b59e729f7a0194d05ba5e

commit: 6834597a419f619111f8e2b004555cbb2a32c044 [log] [tgz]
author: Jiakai Zhang <jiakaiz@google.com> Mon Dec 12 14:34:50 2022 +0000
committer: Jiakai Zhang <jiakaiz@google.com> Tue Dec 13 14:49:20 2022 +0000
tree: e2214a274083d326775227a2d31e910ec21e57ff
parent: bc9ce78119ff0fdcb50e7fd414480e3e33ea5b55 [diff] [blame]
diff --git a/private/artd.te b/private/artd.te
index 96b2990..c91657c 100644
--- a/private/artd.te
+++ b/private/artd.te

@@ -82,6 +82,11 @@
 allow artd app_data_file_type:dir { create_dir_perms relabelfrom relabelto };
 allow artd app_data_file_type:file { create_file_perms relabelfrom relabelto };
 
+# Allow symlinks for secondary dex files. This has be to restricted because
+# symlinks can cause various security issues. We allow "privapp_data_file" just
+# for GMS because so far we only see GMS using symlinks.
+allow artd privapp_data_file:lnk_file { getattr read };
+
 # Never allow running other binaries without a domain transition.
 # The only exception is art_exec. It is allowed to use the artd domain because
 # it is a thin wrapper that executes other binaries on behalf of artd.
commit	6834597a419f619111f8e2b004555cbb2a32c044	[log] [tgz]
author	Jiakai Zhang <jiakaiz@google.com>	Mon Dec 12 14:34:50 2022 +0000
committer	Jiakai Zhang <jiakaiz@google.com>	Tue Dec 13 14:49:20 2022 +0000
tree	e2214a274083d326775227a2d31e910ec21e57ff
parent	bc9ce78119ff0fdcb50e7fd414480e3e33ea5b55 [diff] [blame]