From 7e346c98fc9624d903b618140ebfd531c59853ff Mon Sep 17 00:00:00 2001
From: Oli Lan <olilan@google.com>
Date: Thu, 30 Jan 2020 18:43:38 +0000
Subject: [PATCH] Add dac_read_search to apexd to prevent spurious denials.

As apexd now has dac_override, it should also have dac_read_search to
avoid spurious denials.

Bug: 141148175
Test: Build, run apex installation, check denials.
Change-Id: I179c05b36ae0fe62d943ca59ee7f8158507f1f10
---
 private/apexd.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/private/apexd.te b/private/apexd.te
index faff8c659..36b799903 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -45,7 +45,7 @@ allow apexd dm_device:blk_file rw_file_perms;
 
 # sys_admin is required to access the device-mapper and mount
 # dac_override, chown, and fowner are needed for snapshot and restore
-allow apexd self:global_capability_class_set { sys_admin chown dac_override fowner };
+allow apexd self:global_capability_class_set { sys_admin chown dac_override dac_read_search fowner };
 
 # Note: fsetid is deliberately not included above. fsetid checks are
 # triggered by chmod on a directory or file owned by a group other