Merge "Constrain getattr for app data directories." into rvc-qpr-dev

Author: AlanStokes

prebuilts/api/30.0/private/mls

@@ -54,7 +54,7 @@ mlsconstrain dir_file_class_set { create relabelfrom relabelto }
 # Only constrain open, not read/write.
 # Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc.
 # Subject must dominate object unless the subject is trusted.
-mlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir }
+mlsconstrain dir { open search getattr setattr rename add_name remove_name reparent rmdir }
 	     ( (t2 != app_data_file and t2 != privapp_data_file ) or l1 dom l2 or t1 == mlstrustedsubject);
 mlsconstrain { file sock_file } { open setattr unlink link rename }
 	     ( (t2 != app_data_file and t2 != privapp_data_file and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);

private/mls

@@ -54,7 +54,7 @@ mlsconstrain dir_file_class_set { create relabelfrom relabelto }
 # Only constrain open, not read/write.
 # Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc.
 # Subject must dominate object unless the subject is trusted.
-mlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir }
+mlsconstrain dir { open search getattr setattr rename add_name remove_name reparent rmdir }
 	     ( (t2 != app_data_file and t2 != privapp_data_file ) or l1 dom l2 or t1 == mlstrustedsubject);
 mlsconstrain { file sock_file } { open setattr unlink link rename }
 	     ( (t2 != app_data_file and t2 != privapp_data_file and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);