cert-transparency: fix chrome failing to read command-line file

[Surendrajat]

fixes https://github.com/httptoolkit/httptoolkit/issues/325

Turns out Chrome tries to read the chrome-command-line file from /data/local/ (unless ROM is userdebug and /data/local/tmp/chrome-command-line is present - ref) and fails due to the following SELinux error:

avc: denied { open } for path="/data/local/chrome-command-line" dev="mmcblk0p69" ino=2891798 scontext=u:r:untrusted_app:s0:c141,c256,c512,c768 tcontext=u:object_r:system_data_file:s0 tclass=file permissive=0 app=com.android.chrome

This only happens when SELinux is Enforcing and simply updating SELinux context of /data/local/tmp/chrome-command-line to u:object_r:shell_data_file:s0 (which is the context of files in /data/local/tmp/) should solve this issue.

[CLAassistant]

All committers have signed the CLA.

[pimterry]

Wow, great find, thanks! Yes, I'm very happy to include this, that makes good sense.

Out of interest, do you know under which conditions SELinux enforces this? I haven't seen it on my test devices, but it does neatly explain some occasional real user issues like this bug you linked, and I've definitely seen the same issue elsewhere (the CA certs we inject require a similar setting).

[Surendrajat]

@pimterry SELinux policy for files in /data/local/ is more restrictive by default unless your device meets one of the following scenarios:

1. ROM build type is userdebug/eng + /data/local/tmp/chrome-command-line is present (source)
2. command_line_on_non_rooted_enabled flag is set to true (as you recommended in https://github.com/httptoolkit/httptoolkit/issues/325) + /data/local/tmp/chrome-command-line is present

As a side note, please do test this before merging as I've only tested this manually (via adb) & in some internal product yet.

[pimterry]

Tested, this all looks good to me! Merged, I'll ship this out in the next release, watch this space.

[Surendrajat]

awesome!