Allow /dev/dma_heap directory to be readable
Allow everyone to read /dev/dma_heap so that they can query the set of
available heaps with the GetDmabufHeapList() API in libdmabufheap.
This patch fixes the following denials that happen when clients use the
API:
avc: denied { read } for name="dma_heap" dev="tmpfs" ino=369
scontext=u:r:mediaswcodec:s0 tcontext=u:object_r:dmabuf_heap_device:s0
tclass=dir permissive=0
9507:05-12 17:19:59.567 1647 1647 W com.android.systemui: type=1400
audit(0.0:93): avc: denied { read } for
comm=4E444B204D65646961436F6465635F name="dma_heap" dev="tmpfs" ino=369
scontext=u:r:platform_app:s0:c512,c768
tcontext=u:object_r:dmabuf_heap_device:s0 tclass=dir permissive=0
app=com.android.systemui
Test: manual
Bug: 184397788
Change-Id: I84672bc0be5b409cd49080501d0bf3c269ca610c
diff --git a/public/domain.te b/public/domain.te
index 8244b9c..d84abf1 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -66,7 +66,7 @@
allow domain device:dir search;
allow domain dev_type:lnk_file r_file_perms;
allow domain devpts:dir search;
-allow domain dmabuf_heap_device:dir search;
+allow domain dmabuf_heap_device:dir r_dir_perms;
allow domain socket_device:dir r_dir_perms;
allow domain owntty_device:chr_file rw_file_perms;
allow domain null_device:chr_file rw_file_perms;