From 0560e75e4f03e4637637de8512a4718fe7870df8 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Sun, 8 Mar 2015 23:02:59 -0700
Subject: [PATCH] system_server: allow handling app generated
 unix_stream_sockets

Allow system server to handle already open app unix_stream_sockets.
This is needed to support system_server receiving a socket
created using socketpair(AF_UNIX, SOCK_STREAM) and
socketpair(AF_UNIX, SOCK_SEQPACKET). Needed for future Android
functionality.

Addresses the following denial:

  type=1400 audit(0.0:9): avc: denied { read write } for path="socket:[14911]" dev="sockfs" ino=14911 scontext=u:r:system_server:s0 tcontext=u:r:platform_app:s0:c512,c768 tclass=unix_stream_socket permissive=0

Bug: 19648474
Change-Id: I4644e318aa74ada4d98b7f49a41d13a9b9584f39
---
 system_server.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/system_server.te b/system_server.te
index 41036b62c..537876664 100644
--- a/system_server.te
+++ b/system_server.te
@@ -313,7 +313,7 @@ allow system_server gps_control:file rw_file_perms;
 
 # Allow system_server to use app-created sockets and pipes.
 allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown };
-allow system_server appdomain:fifo_file { getattr read write };
+allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write };
 
 # Allow abstract socket connection
 allow system_server rild:unix_stream_socket connectto;
-- 
GitLab