commit d7f811913bd558f40b92bc1974f8f2fe15b9c620
author Jiakai Zhang <jiakaiz@google.com> Mon Dec 12 13:45:13 2022 +0000
committer Jiakai Zhang <jiakaiz@google.com> Tue Dec 13 16:03:22 2022 +0000
tree 072be69fb3d30c94cbddaf3e87c3b9a11e3da6cb
parent 6834597a419f619111f8e2b004555cbb2a32c044

Allow artd to access files for restorecon.

Otherwise, we will get SELinux denials like:
W binder:5750_1: type=1400 audit(0.0:133): avc: denied { read } for name="plat_file_contexts" dev="dm-1" ino=979 scontext=u:r:artd:s0 tcontext=u:object_r:file_contexts_file:s0 tclass=file permissive=0
W binder:5750_1: type=1400 audit(0.0:134): avc: denied { read } for name="system_ext_file_contexts" dev="dm-3" ino=92 scontext=u:r:artd:s0 tcontext=u:object_r:file_contexts_file:s0 tclass=file permissive=0

Bug: 262230400
Test: No longer see such SELinux denials.
Change-Id: Iec586c554fa2dc33f0a428321bada484add620ed

private/artd.te

diff --git a/private/artd.te b/private/artd.te
index c91657c..88094e7 100644
--- a/private/artd.te
+++ b/private/artd.te
@@ -87,6 +87,13 @@
 # for GMS because so far we only see GMS using symlinks.
 allow artd privapp_data_file:lnk_file { getattr read };
 
+# Read access to SELinux context files, for restorecon.
+allow artd file_contexts_file:file r_file_perms;
+allow artd seapp_contexts_file:file r_file_perms;
+
+# Check validity of SELinux context, for restorecon.
+selinux_check_context(artd)
+
 # Never allow running other binaries without a domain transition.
 # The only exception is art_exec. It is allowed to use the artd domain because
 # it is a thin wrapper that executes other binaries on behalf of artd.