Add functionfs access to system_server.

UsbDeviceManager in system_server now helps set up the endpoint files. Bug: 72877174 Test: No selinux denials Change-Id: I96b11ee68799ac29b756d2034e7f5e4660dbed98
2017-12-06 16:13:59 -08:00 · 2017-12-06 16:13:59 -08:00 · 1d40154575
commit 1d40154575
parent 17d008ae73
2 changed files with 6 additions and 1 deletions
--- a/private/domain.te
+++ b/private/domain.te
@ -105,7 +105,8 @@ full_treble_only(`
    -adbd
    -init
    -mediaprovider
-  }functionfs:file no_rw_file_perms;
+    -system_server
+  } functionfs:file no_rw_file_perms;

  # usbfs and binfmt_miscfs
  neverallow {
--- a/private/system_server.te
+++ b/private/system_server.te
@ -761,6 +761,10 @@ userdebug_or_eng(`
  allow system_server mediaextractor_update_service:service_manager find;
 ')

+# UsbDeviceManager uses /dev/usb-ffs
+allow system_server functionfs:dir search;
+allow system_server functionfs:file rw_file_perms;
+
 ###
 ### Neverallow rules
 ###