Something went wrong on our end
-
Nick Kralevich authoredhttps://android-review.googlesource.com/166419 changed the handling of non-interactive adb shells to use a socket instead of a PTY. When the stdin/stdout/stderr socket is received by /system/bin/sh, the code runs isatty() (ioctl TCGETS) to determine how to handle the file descriptor. This is denied by SELinux. Allow it for all domains. Addresses the following denial: avc: denied { ioctl } for pid=4394 comm="sh" path="socket:[87326]" dev="sockfs" ino=87326 ioctlcmd=5401 scontext=u:r:shell:s0 tcontext=u:r:adbd:s0 tclass=unix_stream_socket permissive=0 TODO: When kernels are publicly available which support SELinux ioctl filtering, limit this just to ioctl 5401 (TCGETS) instead of all ioctls. Bug: 21215503 Change-Id: I5c9394f27b8f198d96df14eac4b0c46ecb9b0898
Nick Kralevich authoredhttps://android-review.googlesource.com/166419 changed the handling of non-interactive adb shells to use a socket instead of a PTY. When the stdin/stdout/stderr socket is received by /system/bin/sh, the code runs isatty() (ioctl TCGETS) to determine how to handle the file descriptor. This is denied by SELinux. Allow it for all domains. Addresses the following denial: avc: denied { ioctl } for pid=4394 comm="sh" path="socket:[87326]" dev="sockfs" ino=87326 ioctlcmd=5401 scontext=u:r:shell:s0 tcontext=u:r:adbd:s0 tclass=unix_stream_socket permissive=0 TODO: When kernels are publicly available which support SELinux ioctl filtering, limit this just to ioctl 5401 (TCGETS) instead of all ioctls. Bug: 21215503 Change-Id: I5c9394f27b8f198d96df14eac4b0c46ecb9b0898