From 52ef1d1cb2fa07311eae06d4916da97f22e90cbc Mon Sep 17 00:00:00 2001
From: Wang Han <416810799@qq.com>
Date: Tue, 11 Mar 2025 16:27:15 +0800
Subject: [PATCH] Simplify matching selinux context of child zygote (#8845)

---
 native/src/core/deny/utils.cpp | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/native/src/core/deny/utils.cpp b/native/src/core/deny/utils.cpp
index 64e175622..8173934ed 100644
--- a/native/src/core/deny/utils.cpp
+++ b/native/src/core/deny/utils.cpp
@@ -10,6 +10,7 @@
 #include <base.hpp>
 #include <sqlite.hpp>
 #include <core.hpp>
+#include <selinux.hpp>
 
 #include "deny.hpp"
 
@@ -108,12 +109,11 @@ static bool proc_name_match(int pid, string_view name) {
 
 bool proc_context_match(int pid, string_view context) {
     char buf[PATH_MAX];
-    sprintf(buf, "/proc/%d/attr/current", pid);
-    if (auto fp = open_file(buf, "re")) {
-        fgets(buf, sizeof(buf), fp.get());
-        if (str_starts(buf, context)) {
-            return true;
-        }
+    char con[1024];
+
+    sprintf(buf, "/proc/%d", pid);
+    if (lgetfilecon(buf, { con, sizeof(con) }) >= 0) {
+        return str_starts(con, context);
     }
     return false;
 }