From cc781f76c909d23c8c83d12ec770c22fe94cc855 Mon Sep 17 00:00:00 2001
From: Chenbo Feng <fengc@google.com>
Date: Wed, 15 Nov 2017 11:18:44 -0800
Subject: [PATCH] Allow netd to read the /dev/xt_qtaguid

After move qtaguid control interface into netd. Netd need to open the
xt_qtaguid resource tracking misc dev to make sure xt_qtaguid module is
successfully initialized before taking action. This selinux rule change
allows netd to do so and it is the same privilege normal apps currently
have.

Test: No more selinux denials on netd access qtaguid_device
Bug: 30950746
Change-Id: I79a98bbda3f3fdb85140a06a7532cdcc4354c518
---
 public/netd.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/public/netd.te b/public/netd.te
index a8a32bef9..ab01fd834 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -37,6 +37,8 @@ allow netd system_file:file lock;
 # TODO: Add proper rules to prevent other process to access qtaguid_proc file after migration
 #       complete
 allow netd qtaguid_proc:file rw_file_perms;
+# Allow netd to read /dev/qtaguid. This is the same privilege level that normal apps have.
+allow netd qtaguid_device:chr_file r_file_perms;
 
 r_dir_file(netd, proc_net)
 # For /proc/sys/net/ipv[46]/route/flush.