Allow profman to resolve symlinks on dirs When opening the dex files we sometime need to check for the real location of the file (even if it was open via an fd). Denial example: avc: denied { getattr } for comm="profman" path="/data/app" dev="sda13" ino=1048577 scontext=u:r:profman:s0 tcontext=u:object_r:apk_data_file:s0 tclass=dir permissive=0 Test: verify we get no denials when taking a profile snapshot. Bug: 77922323 Change-Id: Ifa5570656c644819d14f46af74e4c15e903a8a54

commit: 9e80bfc8808b4267327f4aebf030540413d7930d [log] [tgz]
author: Calin Juravle <calin@google.com> Mon Apr 30 14:20:34 2018 -0700
committer: Calin Juravle <calin@google.com> Mon Apr 30 14:56:34 2018 -0700
tree: f9e5d43e2abf631efdb99e7b42705d5a3a867012
parent: 26ee5a85909fc937a31ad56ebab6bdc75044ee7c [diff]
diff --git a/public/profman.te b/public/profman.te
index a5c18b5..4296d1b 100644
--- a/public/profman.te
+++ b/public/profman.te

@@ -6,7 +6,9 @@
 
 # Dumping profile info opens the application APK file for pretty printing.
 allow profman asec_apk_file:file { read };
-allow profman apk_data_file:file { read };
+allow profman apk_data_file:file { getattr read };
+allow profman apk_data_file:dir { getattr read search };
+
 allow profman oemfs:file { read };
 # Reading an APK opens a ZipArchive, which unpack to tmpfs.
 allow profman tmpfs:file { read };
@@ -18,6 +20,7 @@
 # are application dex files reported back to the framework when using
 # BaseDexClassLoader.
 allow profman app_data_file:file { getattr read write lock };
+allow profman app_data_file:dir { getattr read search };
 
 ###
 ### neverallow rules
commit	9e80bfc8808b4267327f4aebf030540413d7930d	[log] [tgz]
author	Calin Juravle <calin@google.com>	Mon Apr 30 14:20:34 2018 -0700
committer	Calin Juravle <calin@google.com>	Mon Apr 30 14:56:34 2018 -0700
tree	f9e5d43e2abf631efdb99e7b42705d5a3a867012
parent	26ee5a85909fc937a31ad56ebab6bdc75044ee7c [diff]