Constrain getattr for app data directories. This seems to have been omitted inadvertently. Bug: 161356067 Test: Verified test app can no longer call stat() Change-Id: I6bffa9d2932a221823648ab01b58437d5bf6e194

commit: 9443b2eee0a9ab10836501bac1e131b62d410ed2 [log] [tgz]
author: Alan Stokes <alanstokes@google.com> Thu Jul 16 10:42:58 2020 +0100
committer: Alan Stokes <alanstokes@google.com> Tue Jul 28 17:56:08 2020 +0100
tree: d96b87449b020b8e7fa94565946e351de13f5f37
parent: 0bee12090002d036bf34e18f877f8b6fa5d34fae [diff]
diff --git a/private/mls b/private/mls
index 9690440..08d4e1f 100644
--- a/private/mls
+++ b/private/mls

@@ -54,7 +54,7 @@
 # Only constrain open, not read/write.
 # Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc.
 # Subject must dominate object unless the subject is trusted.
-mlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir }
+mlsconstrain dir { open search getattr setattr rename add_name remove_name reparent rmdir }
 	     ( (t2 != app_data_file and t2 != privapp_data_file ) or l1 dom l2 or t1 == mlstrustedsubject);
 mlsconstrain { file sock_file } { open setattr unlink link rename }
 	     ( (t2 != app_data_file and t2 != privapp_data_file and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
commit	9443b2eee0a9ab10836501bac1e131b62d410ed2	[log] [tgz]
author	Alan Stokes <alanstokes@google.com>	Thu Jul 16 10:42:58 2020 +0100
committer	Alan Stokes <alanstokes@google.com>	Tue Jul 28 17:56:08 2020 +0100
tree	d96b87449b020b8e7fa94565946e351de13f5f37
parent	0bee12090002d036bf34e18f877f8b6fa5d34fae [diff]