Allow zygote to scan static overlays on /oem During preloading resources, zygote scans the overlay directories of supported partitions looking for android RROs to apply statically. Zygote currently is allowed to read overlays in /oem/overlay, but zygote does not have the search permission to be able to scan /oem. Without this patch, this denial is logged: 04-04 14:57:40.136 876 876 I auditd : type=1400 audit(0.0:9): avc: denied { search } for comm="main" name="oem" dev="dm-3" ino=46 scontext=u:r:zygote:s0 tcontext=u:object_r:oemfs:s0 tclass=dir permissive=0 Bug: 121033532 Test: booting without denials and stat oem succeeds Change-Id: I661f3e0aff7ec3513870d08ddc122fc359b8f995

commit: ef1a64e231649bb35bcd4c651665709af5d13021 [log] [tgz]
author: Ryan Mitchell <rtmitchell@google.com> Tue Apr 16 16:00:32 2019 -0700
committer: Ryan Mitchell <rtmitchell@google.com> Wed Apr 17 16:06:34 2019 +0000
tree: d0cd9de77cc52402e48404d124935917035af13e
parent: 3cba24a81a3e77251f942c1e480309218a0ff5e1 [diff]
diff --git a/private/zygote.te b/private/zygote.te
index 759fc34..0466372 100644
--- a/private/zygote.te
+++ b/private/zygote.te

@@ -118,6 +118,9 @@
 # System file accesses.
 r_dir_file(zygote, system_file)
 
+# /oem accesses.
+allow zygote oemfs:dir search;
+
 userdebug_or_eng(`
   # Allow zygote to create and write method traces in /data/misc/trace.
   allow zygote method_trace_data_file:dir w_dir_perms;
commit	ef1a64e231649bb35bcd4c651665709af5d13021	[log] [tgz]
author	Ryan Mitchell <rtmitchell@google.com>	Tue Apr 16 16:00:32 2019 -0700
committer	Ryan Mitchell <rtmitchell@google.com>	Wed Apr 17 16:06:34 2019 +0000
tree	d0cd9de77cc52402e48404d124935917035af13e
parent	3cba24a81a3e77251f942c1e480309218a0ff5e1 [diff]